Back in May I wrote "Dirty URL Tricks" about the increasing risk presented by the rise of URL shortening services like Bit.ly and TinyURL, driven largely by short messaging services like Twitter.  I closed the article by predicting that scammers were going to start aggressively exploiting these services as a means of masking their malicious URLs. Judging by the dramatic spike in URL shortening service usage by spammers and phishers the following month, I'd say that the entire scamming community must be reading my blog.  However, since I'm quite in tune with the number of readers I have, and I'm fairly...

Took longer than I expected for ComCast to bring my business-class Internet connection into the house, but I'm back online as of tonight. Oh, and for the record, my Chrysler transfered my data at the rate of 230Kb/s.  It would have been faster, but the 98mph speeding ticket I got on the way through Colorado spooked me for the rest of the trip.  I spent the rest of the drive going about 5mph over the speed limit.

The blog will be dark for a few days while I transport my server and accoutrements from Oklahoma to Seattle, and get it set back up. I'll calculate and publish the data transfer rate of my Chrysler 300C upon my arrival (yeah, it's got a Hemi).

I have been doing a lot of thinking lately, given the state of the economy and some of the discussion I've had with many of my colleagues.  What I've come to realize is that I have taken a different approach than many of my colleagues when it comes to leadership and Information Security.  It's well past time to reinvent the information security field, and reverse the impression that we are the Ministry of No, and the buzzkills that are constantly looking to shut down everyone's chat.  Our role is so much more than that. Too often we paint ourselves into...

Some interesting infosec cases coming up in court cases recently. Last month, the Supreme Court agreed to hear a case challenging the constitutionality of the Sarbanes-Oxley Act of 2002 (aka SOX). More recently, Wired reports that Merrick Bank is suing PCI QSA Savvis for giving Card Systems a passing grade on a PCI audit just 3 months prior to Card Systems getting hacked and ultimately exposing 40 million credit cards to the intruders.  The breach cost Merrick nearly $18M to fend off the resulting fraud, settle claims, and replace compromised cards. While SOX has been a driver of security investments in the years...

A recent study conducted by British Telecom claims that 94% of the companies they polled expected to suffer a compromise sometime in 2009. I guess companies are finally acknowledging one of Information Security's most sacred truths:  Prevention eventually fails.  I first heard this truism while reading Richard Bejtlich's fantastic book The Tao of Network Security Monitoring.  In it, he claims that preventive controls are doomed to eventual failure due to 2 factors: Some intruders are smarter than the people securing the systems, and intruders are unpredictable. These sobering facts recently prompted InfoSec pioneer Dan Greer to comment in an interview: [...]the world we...

I've preached for years the need for users to scrutinize heavily any URLs in emails they receive, especially in emails from financial institutions.  As applications and operating systems get more and more secure, hackers are increasingly relying on tricking the end users into clicking on a hostile link or otherwise actively enable the compromise of their own system. Traditionally, one of the mechanisms you can use to determine that an email is a phishing attempt is to scrutinize the link or button the email wants you to click. For instance, you can hover your mouse over this http://www.Visa.com link, and determine pretty...

Verizon's first report of 2009 is the 4th such report published publicly by Verizon (they have performed 28 such analyses to-date, but only recently decided to go public with them).  Verizon's goal is to release these reports on a roughly quarterly basis going forward. The report largely focuses on breaches occurring in the 2008 calendar year, but does reference data gathered from prior years.  The 2008 year saw an unprecidented number of records compromised.  Verizon alone responded to breaches representing 285 million records, more than all prior years (2004-2007) combined, and those are the focus of this report. The Actors I think we can...

What do you get when you mix a bunch of techno-miscreants and a decommissioned Titan-1 Ballistic Missile Silo?  ToorCamp 2009, that's what. ToorCamp is the United State's first ever full-scale hacker camp. Modelled after the camps in Holland and Germany, ToorCamp will focus on all of the technology topics that ToorCon has become famous for but will expand out into other areas of society. ToorCamp will offer 2 days of talks on many different topics -- Security, Internet, Emerging Technologies, Hardware Hacking, and Privacy are just some of the areas we will be covering. ToorCamp will also feature 2 days of...

Voltaire once said "Le Mieux est l'ennemi du bien."  Which translates roughly into "The perfect is the enemy of the good." I, not being a writer of Voltaire's prolific stature, have often expressed this sentiment in my own way: "Anything worth doing is worth doing poorly."  Which usually attracts some puzzled looks from my colleagues... Yeah, Frenchy probably said it more eloquently than I ever did, but the sentiment is the same:  Don't get so wrapped up in doing something perfectly that you ultimately don't do *anything*.  This concept first hit me a few years back, when I was watching the old reality show "Project Greenlight".  The...

I am launching a series of posts focusing on Security Awareness topics.  These will include PowerPoint presentations that can be adapted and used for your own specific situation. The first, entitled "Why Should I Care?" deals with the apathy from the general public about information security issues and responsibilities.  There are notes attached to the slides that give you some ideas for talking points. Feel free to modify the slides for your own use, but do try to attribute me and bmonday.com in some way.  If you improve on these slides, please send me your finished work so i can incorporate it into my slide...

As a follow-up to yesterday's roundup of encryption algorithms, I bring you a roundup of popular hashing algorithms.  Unlike encryption, which is generally a 2-way function (encrypt, then decrypt), hashing is generally one-way.  There is no way to determine the original text based on a hash (except brute force) if it is properly implemented.  So what's the point of that?  Well, primarily it's used to verify the integrity of a given bit of data.  Say, for instance, you are doing forensics on a computer system, and you generate hashes of all the files on the file system.  You can demonstrate later,...

I decided to do a roundup of popular encryption algorithms.  This post focuses on symmetric key algorithms.  It is not intended to be an exhaustive list, but does cover 99% of the algorithms currently in use today. In the table below, I have flagged broken/flawed algorithms in RED.  Those are better than no encryption, but they should be avoided if other options are available.  Algorithms marked in GREEN are considered strong, and are recommended for use in all scenarios.  My current algorithm of choice is Rijndael, which enjoys wide adoption and support thanks to its selection by NIST as the current...

Did you know that if you have a GMail account, you can use their mail system's SMTP service for free?  I am using it to deliver "Contact Me" messages from my blog to my account at GMail, but you can send emails to anyone using it. Here's how to configure your email client (or server email component) to use GMail for outbound mail delivery: Set the software's SMTP server to smtp.gmail.com Enable authentication for the connection, and enter your gmail account credentials...

Diligent readers may remember that I have, at times, hinted about how fundamentally flawed the Internet is.  And the fact that an attacker with sufficient knowledge could do some very devastating damage, even without one of those fancy botnets.  It's a conversation we normally have behind closed doors at security conferences, or other confabs, and don't talk much about it openly because there's not a damn thing we can really do about these problems. The Internet, when it was built, was all about Availability, and not much at all about the other 2 fundamental principles of security, Confidentiality and Integrity.  And...

Mike Rothman, of Pragmatic CSO fame, laid down one of the best one-liners of all time in a recent blog post: It's about serving the business, NOT THE AUDITORS. If you protect information effectively (which is a key imperative for the business), then the auditors should be kept reasonably happy. And if not, screw them and fight them. Yes, the auditor can make your life a bit harder, but you don't work for them. Keep that in mind. OK, technically, that's a five-liner, but you get the point. I can't tell you how many companies I've seen spend a million dollars a year...

I'm a rather pragmatic security practitioner.  If I think something is dumb, even if it's on someone's “Best Practices“ list, I'm not above calling it out.  Some examples:  I think, in the majority of cases, antivirus on a server is dumb.  I think renaming your Administrator account is dumb (almost all tools that attack Admin now do so using the SID).  I think account lockouts are dumb (they are a crutch for weak passwords).  I think writing down a strong, complex password is better than using a weak password if that's all you can reliably remember (no, don't then stick it to...

I'm sick of googling for this the few times per year I need it, so putting it here for future reference: To identify stale computer account in your Active Directory, you can look at the last time they changed their passwords.  Windows 2000 and later machines will change their computer accounts every 30 days by default.  Machine accounts that have gone more than 30 days without changing their account passwords are probably no longer in use (or they have a problem preventing them from communicating with the domain controller(s)). The easiest way to enumerate machine account password age is a free tool called...

I've never told this story, not even to my family. 9/11 is why I'm in the security business.  Corny as it sounds, when 9/11 happened, I decided that the way I could contribute to making the world a better place was to apply my IT knowledge to securing the world's Windows networks.  I had flown out of Logan airport in Boston the day prior to the attacks.  I was galvanized.  I quit my job, put myself through a number of SANS courses, and focused my 15+ year old IT career towards security. I even traded my BMW in for a Jeep, in a semi-rediculous...

RSA is 50% learning and 50% networking.  At roughly 17,000 attendees, it is far and away the largest gathering of information security practitioners and vendors.  You make professional connections here that you cannot otherwise make. The Peer-to-Peer sessions are networking gold.  You have 20 people all struggling with some particular aspect of the business, and you generally leave with the personal contact information from at least half of them.  The world's information gets more secure as a result of these short sessions, and the relationships we build after the event is over.  Unfortunately, due to the small number of people permitted into them,...

Here are some interesting links that I noted during RSA.  These are mostly for my own benefit, but I won't tell anyone if you click on them.  I'm not the boss of you. Symantec Threat Report - 2nd Half of 2007: Executive Summary, Full Report US Government's Trusted Internet Connection Initiative Oracle's call for better secure coding education at the university level Federal Desktop Core Configuration, which is the secure configuration that the goverment uses by default, and has recently mandated that any off-the-shelf software product must operate properly with before being considered for purchase.  Site includes MS Virtual Server images of the FDCC configuration...

Going through my notes from the week, and just wanted to throw out some interesting things I learned during the course of the week, in addition to the items in my previous posts: It is currently estimated that 40% of computers attached to the Internet are members of one or more botnets The US government recently reduced its time-to-patch from 57 days to 72 hours, and is striving for 24 hours Oracle is asking US universities to mandate secure coding courses in the curriculum of computer science majors Despite some of the high visibility projects at the federal level, information security spending is at an...

Show's over.  Algore just left the stage after preaching to the crowd about global warming, and how “you IT people” can use his Intarwebs to help the fight.  He was heckled a number of times during the course of his speech, but security people pounced on the hecklers fairly quickly and hustled them out of the forum.  I don't remember Colin Powell getting heckled last year, but I might be repressing it. The irony of Algore coming to a security conference and spreading his apocalyptic FUD was not lost on many of us.  Hey, spreading fear uncertainty and doubt is our...

I'm at RSA all week, and I figured I best blog about it, seeing as how I maneuvered my way into the Security Blogger Meetup tomorrow night based on the premise that I do, at least occasionally, blog about information security issues. I'm taking a break from the morning keynotes, choosing to observe the Microsoft keynote from afar, via closed circuit TV, while I get some thoughts down on virtual paper. The first 2 talks were by EMC (parent company of RSA), and then Symantec. The show opened with the obligatory cheesy dance number, which this year was a bastardized version of the...

I have updated the Conferences list on the right-hand nav frame to just list the 2 conferences on my schedule for this year, both happening in April, as luck would have it. Speaking of RSA: I've received an invitation to attend the 2nd annual Security Bloggers Meetup during the RSA show.  There may have been a little whining on my part immediately preceding the invite, I can't be responsible for remembering the exact sequence of events.  The important thing, I think you'll all agree, is that I'll be there.

You can now see the full 1.5 hours of HBO's documentary Hacking Democracy over at Google: http://video.google.com/videoplay?docid=-7236791207107726851&sourceid=docidfeed&hl=en-CA Every American owes it to themselves to watch this movie.

HBO is running a documentary tonight called “Hacking Democracy”, based primarily on Seattle-based Bev Harris' efforts to demonstrate the holes in current electronic voting mechanisms. If you care about democracy in the US, you owe it to yourself to watch this program. I am working on another e-voting article, and will post it sometime this weekend.

I've been watching the furor over Microsoft's decision to secure the kernel in Vista to unprecedented levels with great interest.  Symantec and McAfee, the two leading antivirus providers, are screaming bloody murder because it removes their primary mechanism for detecting hostile code. It's the battle many of us security geeks have been waiting for, really.  Microsoft finally did something for the sake of security that is going to absolutely BREAK a ton of third-party applications.  How many times have we lamented Microsoft's legendary penchant for ensuring backwards compatability, even if it meant removing a much-needed security control?  Internet Explorer anyone?  VBA?  Hello? Security people...

While I was waiting for the Pulitzer Committee to call me to announce the nomination of “An Ode to Mike And Ikes” for an award (or at least an honorable mention), I went over to peruse the list of recent data breaches over at the Privacy Rights Clearinghouse. It's grim.  We're averaging an incident a day in June, with no signs of easing up.  My PII (personally identifiable information) was exposed at least 4 times in the last 18 months. We've lost this one, folks.  The data is gone, and we can't get it back.  As I've written previously, you can't put this genie...

One of the more interesting talks given at last week's CSI NetSec in Arizona was conducted by CSI editorial director Robert Richardson.  He gave us a preview of next month's release of the annual cybercrime survey conducted jointly by the FBI and CSI. The survey shows a continued decline in the money lost by companies due to cybercrime.  Compared to 2005, losses are down 18%, and down 68% compared to 2004.  This metric has been declining for 4 straight years actually. So.  Does that mean we're winning?  Does that mean that all the money we're spending on security is actually bearing fruit? Well,...

Fyodor recently announced an update to what was previously called “Top 75 Network Security Tools”.  The new list, compiled from votes cast on the nmap-hackers mailing list, has grown to 100 tools, including recent newcomer MetaSploit, which did not exist at the time the previous list was produced.  You can see the new Top 100 Network Security Tools here.  Fyodor does not permit votes for his legendary tool Nmap, since the poll is conducted on an Nmap-focused mailing list, and Nmap would certainly take the top spot (and rightfully so). In a somewhat related note, another legendary security tool, Ethereal, has...

Much noise has been made over a recent eWeek story in which a Microsoft representative stated that businesses were going to have to come up with ways to rebuild machines easier and faster in response to the escalating sophistication of malware authors. Naturally the /. crowd creamed themselves in the point-and-laugh orgy that ensued.  The resulting consensus, predictably, was “Switch to OS X!“ Thing is, this “rebuild is better than repair“ approach has been common guidance from the security community for years, regardless which operating system you run.  Once your machine is hacked, you can't trust that any amount of forensics or other...

It's been over 2 years now since I first wrote about inKline Global's deceptive sales techniques.  Since then, that post has received dozens of comments from people who feel they have been scammed by the company, who sold them crappy products that don't do what they advertise. Last week, a rep from the company stopped by bmonday.com to defend their refund process, but declined to address the deceptive techniques they continue to use to trick people into buying the products they sell.  Apparently, they're OK with that part of their business model. Take this popup ad for instance, which was the inspiration for my past...

A year ago this month I wrote about my misgivings regarding SANS' policy shift away from requiring a practical from their students as part of their certification process.  I wrote at the time: [...] the loss (or impending obsolescence, I should say) of the SANS Reading Room, where Stephen's personal mantra was realized, that's the thing that stings the most.  As Richard said also in his blog, that was a key resource for the community, and it's sad to see the engine that generated all that great work shut down. I went back to SANS today, to see just what impact the...

A new wave of bots exploiting Sony's ill-conceived DRM rootkit has been found in the wild. If you've been living in a cave the past week, you might have missed the discovery by security superhero Mark Russinovich of a rootkit that had been surreptitiously installed on his system when he played a Sony copy-protected music CD in his computer.  Seems Sony considers their right to protect their digital rights trumps your right to a properly functioning, and safe, computer, and has been shipping this rootkit software on its CDs since April.  The software can disable other music players on your system, has no discernible...

Just a note announcing the general availability of my latest admin script, IPEnum.vbs. IPEnum is a script I wrote to facilitate the enumeration of my various networks, and quickly highlight systems that have appeared or moved since the last time I scanned. The script is absolutely free for anyone to use. You can read the full details and download the code and samples here: IPEnum: Network Enumeration Script

My friend Mixa forwarded me via email yesterday's Security Update newsletter from Windows IT Pro Magazine, and said only “Search for Beau Monday.” Doing that revealed this paragraph embedded in an article by Mark Joseph Edwards about using SSH to securely copy files from one system to another: If you run Win2K Server, you can use Beau Monday's step-by-step guide, "Configuring OpenSSH (Win32) for Public Key Authentication." His guide is equally detailed and includes information about how to configure PuTTY, which is an open-source SSH command-line client for Windows platforms. The PuTTY package also includes a PuTTY Secure Copy (PSCP) client. If...

I'll be playing a bit part in the upcoming SecureWorld Expo next week, moderating an expert panel on Identity Management.  Kirk Bailey, former CISO of the City of Seattle, and current CISO of the University of Washington, was supposed to moderate this event but he had a conflict and asked me to fill in for him. If you have any questions that you'd like me to ask the panel on your behalf, leave me a comment here and I'll see if I can work them in.

A friend of mine is a lawyer, and she's got her life on her laptop.  If the thing goes toes up, she loses years worth of work that would be difficult to replace.  Everything she does ultimately ends up as a hard copy, so it could be reproduced.  But it would be an enormous undertaking. So I've been doing some research on backup solutions for her.  Something that she doesn't have to think about, but results in at least weekly backups of her critical information.  I was very intrigued when Steve posted about a cool NAS appliance that NetGear is currently making.  But...

I've been thinking for a long time how to get security ingrained into the psyche of the average home user.  I've been half heartedly trying to “expose some content”, as some of my colleagues would say, to spread the message of why computer security is important to everyone. But I haven't really made any progress, and it was getting pretty frustrating for me personally.  The problem was that the project could be all-encompassing, especially when I started considering what a state agency could distribute to all its residents. So a couple weeks ago I decided that doing it on a small scale...

I was looking at Privacy Rights Clearinghouse's list of data breaches since the ChoicePoint debacle in March.  Quite a few on there that I hadn't heard of. The suprising thing is the number of breaches involving the loss of backup tapes.  In fact, if you graph the incidents (throwing out the top and bottom numbers), you come up with this fairly revealing chart: Do you know where your backup tapes are?

If you remember a few months back, I implemented CAPTCHA-style comment system to battle the growing comment spam problem.  That was a huge success, I have to say.  I've only had a couple spams since, by people who actually entered in the code.  Spammers rely on massive numbers of messages, so most see the effort required to enter the code and move on to softer targets.  And what is security, really, besides encouraging the malcontent to move on to a softer target :). But now spammers have turned to a new method of spamming blogs, by using trackbacks.  Trackbacks, for those...

Back in March, I noted briefly that I had attended a “Google Hacking Contest” put on by the AGORA organizers.  I can't say much about what goes on at AGORA, but since this hit the wires, I guess it's ok. Well in the audience that day was a reporter from the Seattle Post-Intelligencer, one of the two major newspapers for the greater Seattle area.  And then it was picked up and ran on page B1 (above the fold!) in a subsequent issue of the Wall Street Journal (the WSJ is subscription only, so I am providing a very curious free link...

Back in April of this year, Washington became the 6th state in the Union to pass a law requiring the disclosure of events resulting in the exposure of personal information to unauthorized entities.  Similar, if not identical, legislation is making its way through the governing bodies of at least 28 other states as I write this. This legislation follows closely California's own SB1386, which came as a result of the well known breach of California's government systems, which resulted in the exposure of the employee files of every one of California's state employees. More famously now though, California's SB1386 is the reason Choicepoint was...

I've been having a shitty month, there's no nice way to put it.  I've been stuck in one of those ruts where everything I touch has turned to foul smelling goo.  And foul smelling goo, it turns out, doesn't route packets very well. Let me give you an idea of what I've been battling lately: After 9 months of testing and upgrades, we started moving customers onto our new BigIP 9.x load balancing infrastructure, from our aging 4.x units. A week and a half after our first batch of live customers got moved, the new units both shit the bed, and caused a...

I often have to query all systems in a domain for some bit of information. I recently crafted a script that allows me to easily accomplish this, and I thought some of my readers might find it useful. The script will take a command-line argument for a single computer name, but if one is not specified it will act upon the entire domain.  You will need to modify the objCommand.CommandText line to suit your environment, obviously. 'We're using a dictionary object to hold the list of systems Set objDictionary = CreateObject("Scripting.Dictionary") 'Check for command-line arguments Set objArgs = wscript.Arguments If objArgs.Count = 0 Then ...

I was visiting Richard Bejtlich's site today and noted that SANS has decided to abandon the requirement for a written practical as part of their certification process. While I didn't conduct any SANS classes like Richard did, I am very familiar with the organization.  I happen to be one of the 8000-ish security professionals they've certified over the years. Shortly after I decided to focus my computer career on security, I invested upwards of $10,000 of my own personal funds attending a number of SANS training sessions.  I even drove down to San Francisco to attend a week-long session on intrusion detection being lead...

One of Active Directory's Achilles' Heels is the fact that Domain Controllers all share ownership of the directory.  Gone is the pre-Win2k concept of a Primary DC that feeds directory information to read-only Backup DCs. This is a huge security issue because in the current design, there is no way to prevent some random domain controller in a branch office from pushing corrupt or malformed data to the rest of the forest, taking down the entire forest in the process.  But you have to have a domain controller in that branch office, and that domain controller has just as much rights...

While the Director Experts Conference officially gets under way today, I was in Vancouver yesterday to attend a special pre-conference training session on securing Active Directory. The session was conducted by Sanjay Tandon, who works for Microsoft.  He was the PM for the Active Directory Security group until a few months ago, and he's the author of a number of key papers on the subject, including the key whitepaper on delegating authority within AD. Joining Sanjay was Guido Grillenmeier, a leading HP consultant from Germany.  If anyone knows Active Directory more than Sanjay, it is apparently Guido. The session started off slowly, and...

The alarm went off at 4AM.  My brain made some very convincing argument about how I would disturb the cats sleeping on me if I got up now, and that would be cruel.  So I noted the alarm, and decided to ponder the situation further before making any hasty decisions. It was nearly 5:00 when my eyes snapped open, my subconscious finally getting through with the message that the alarm went off “a while ago“. Luckily, I was basically ready to go, and 15 minutes later I was on the road.  But man, I was tired.  I had maybe 3 hours of sleep, and...

Back in January I lamented the fact that some really great blogs seemed to drop off the face of the earth after a few brilliant posts.  (Which is ironic, given my own post count for the following month). Aaron Margosis, the author of one of the featured blogs, the Running As Non-Admin Blog, stopped by recently to let me know that he's back in business and blogging again. This is great news, because the community definitely needs some expert advice in running day-to-day Windows as a regular user (I.E.: not as Administrator). Let's hope he keeps it up, because the posts so far are...

A while back my bank sent me a letter explaining that my credit card information had been exposed when some anonymous online vendor got haxxored.  So they are issuing me a spanking new card with a new number on it, and cancelling my old card. No problem.  I don't live in California, so I don't get to know who the vendor with the shitty security is.  But whatever. So I get the new card in the mail, and look over the number.  It's identical except the last 4 digits have changed.  Even the expiration date is the same. WTF, mate? Let's ponder this for...

If you watch the news lately, you can't help but hear about some of the recent high-profile hacks of major information clearing houses. Choicepoint, the most publicized victim, announced a few weeks ago that sensitive information on 30,000 Californians was given to hackers who were posing as Choicepoint customers.  What they failed to tell everyone initially, was that number of people whose personal information was exposed is closer to half a million. Choicepoint is an information aggregator, and about the biggest one there is.  They have dossiers on 10 BILLION individuals and businesses, and those dossiers include social security numbers, credit histories,...

I recently had the privilege to witness an organized Google Hacking Contest, inspired by Johnny Long's new book “Google Hacking for Penetration Testers”. The contest pitted 8 teams of local security folks (including a team from Intel and a team from Qualys) against each other, and gave them 60 minutes to use Google to find as much personal information about people as possible. The results, frankly, were astounding.  I went into it knowing Google was a one-stop identity theft shop, but I still left shaking my head. The highest scoring team found over 2.5 million bits of sensitive information, including social security numbers,...

In an unmanned datacenter, it's bad to shutdown a system. Mostly because there isn't always someone around to hit the button and power it back on. While you can remove the Shutdown button from the user's UI via GPO, that also prevents them from restarting the system.  This was a problem for me recently.  I need to enable certain users to reboot particular systems, but prevent them from accidentally shutting them down. What I ultimately opted to do was use the GPO to remove the Shutdown/Restart buttons from the user's interface.  Then I gave them a WSH script that will restart the...

I owe Kirk Bailey, the CISO for the City of Seattle, an apology.  After hearing him talk at my first A g o r a meeting, and a subsequent conference, I made some flippant comments about his penchant for gab, and that was uncalled-for. In the subsequent months, I've had the chance to spend some more time with Kirk, and got to experience first-hand how hard he works to bring the infosec community in Seattle together.  He's a great role model for other CISOs, and someone I've come to look up to and admire.  I wish I could talk about all he...

I registered today for the Directory Experts Conference in March, as I mentioned previously.  It's going to be held in Vancouver B.C., which has become the city of choice for security conferences in the greater GREATER Seattle area (is there a geographical label that encompasses Oregon, Washington and British Columbia?  I need one). It's a 3-day show (can be 4, with an optional day of Active Directory security training), and I'll probably be driving up the Saturday prior.  So if anyone wants to hook up for some beers or something, just drop me a line. I'm still planning on attending CanSecWest in May...

Michael Howard mentioned an interesting site that I was not previously aware of, CastleCops. They have been publishing a series of fairly detailed checklists to secure home-based Windows installations, and operate them in a secure manner.  I haven't gone through all the articles (there are 9 at last count), but they obviously put a lot of effort into them.  The first few made some good recommendations, so I'm encouraged. I took a look at the rest of the site and it looks pretty informative.  I think I might add them to my list of daily reads, at least for a while.

Cellphone anti-virus developer SimWorks is reporting (pdf) that 2 new cell phone viruses have been identified, and they can render a cell phone completely inoperable to the point of having to replace it. Gavno.a infects the phone when a user downloads and installs an infected software package onto their phone.  Gavno.b on the other hand, attempts to spread itself over BlueTooth.  Both files claim to be a patch in an effort to trick unwary users into downloading and activating them. Once activated, the viruses halt a critical process on the phone, preventing it from making any calls, and often causing it to constantly reboot. ...

My friend Steve pointed out to me that the 4th Edition of Inside Windows 2000 has been released by the fine folks at SysInternals.  The name of the tome has been changed to Windows Internals. From the site: Windows Internals, 4th edition replaces Inside Windows 2000, 3rd edition.  With 25% more content than the previous edition, it has been updated to cover Windows XP and Windows Server 2003, including 64-bit support, while also still covering Windows 2000. This new edition is even more valuable to the IT professional/system administrator as it takes the internals information and applies it to advanced troubleshooting, such...

I recently had the pleasure of attending a talk given by local DDoS and Worm expert Dave Dittrich at a quarterly forum called The Agora that's held locally in Seattle but I've been explicitly forbidden from blogging about (Dave mentions The Agora briefly on his site, so I feel safe saying at least that much).  The most recent forum was really cool, and I'm near exploding not being able to tell you what it was about.  But I want to be invited back, so I bite my tongue.  Really hard. What I can tell you is that Dave, the Senior Security Researcher at Seattle's...

Last year Microsoft published a lengthy TechNet article about using built-in technologies to enhance the auditing and intrusion detection capabilities of servers running Windows 2000.  While it certainly doesn't take the place of dedicated IDS facilities, it does add valuable data to the collective when it comes time to determine why a machine might be misbehaving.  Another layer of defense is always a Good Thing. Check out the whitepaper here.

The National Security Agency's repository of damn fine security configuration guides can be found here.  They provide solid guidance on everything from Apple to Windows, and many things unrelated to operating systems at all.

Let's see if I can get through a post without dropping the f-bomb 8 or more times, shall we? Just before I broke for the holidays, Lance Spitzner (personal hero of mine, yada yada) dropped a message to Focus-Honeypots about a paper the Honeynet Project recently put out about the life expectancy of new, unpatched Linux boxes. “Life expectancy”, if you are not familiar with the term in this context, refers to how long a machine remains on the Internet without being compromised by a hacker.  These days it's measured in hours, with most systems being probed for possible weaknesses within 15...

I can't sleep and something has gone horribly wrong with the Everquest 2 servers, so I figured I'd do some late-night blogging.  I'm also halfway through ripping my CD collection with Media Player, but that's another show... err, topic. First order of business was to update the conference listing on the right-hand side of the page.  These are conferences that are going to be held in the Pacific Northwest (and Vancouver BC) in the next few months. The first is the Directory Experts Conference (DEC), which will be in Vancouver BC during the ides of March.  This conference focuses on Active Directory security.  This includes securing...

Dave Aitel from Immunity Inc stopped by to mention that CORE actually released the WINS vulnerability the day before Immunity's release went to press.  The first news I saw about it (I guess I'm not subscribed to the right lists) was the Immunity announcement.  but if you go to CORE's site, they definitely published on Thanksgiving day. I still think Immunity could have waited until Monday to share the technical details of the vulnerability with the world.

On Friday, Immunity Inc released information regarding a flaw in the WINS service that could be exploited to gain remote control of the target system. I don't know what responsible disclosure means to Immunity, but releasing an exploit of this magnitude in the middle of a 4-day US holiday doesn't seem very responsible to me. Color me “annoyed“.

I spent 2 days at SecureWorld Expo this week, as it visited my home town of Seattle.  Here's a brief recap of the goings-on: Keynotes: Whit Diffie, CSO of Sun Microsystems:  Whit Diffie is a legend in the computer world, probably best known for the invention of public key cryptography way back in the mid 70's.  He's the 'Diffie' half of Diffie-Hellman, one of the most popular public key exchange algorithms.  He's a charismatic speaker, and the whole crowd was on the edge of their seats while he went through an hour-long overview of the history of information security.  Unfortunately, he seemed to...

I spent the better part of yesterday poring over our most recent MBSA scan and distilling down the results so I could communicate them out to the rest of the team. There's gotta be a better way to display the results of these scans.  Hell, they are just a collection of XML files. I think I've found my next coding project.  Stay tuned.

Last month Forbes ran a story called Cyber-nightmare, about how Al Qaeda and other terrorist organizations are increasingly using the Internet to further their purposes. Interesting stuff.

I have a rather long legal notice being displayed prior to login on all my data center systems.  Actually the new kids refer to them as “Logon Banners”, but I'm old school dammit!  Back in my day, we didn't have GPOs, and we had to hack the registry to get a legal notice to show up.  And it was uphill both ways, too. Anyway, here's the legal notice we use: This system is for explicitly authorized users only.  Individual use of this computer system and/or network without authority, or in excess of your authority, is strictly prohibited.  Monitoring of transmissions or transactional...

It's that time of the month again. This month's batch of Microsoft patches is a doozy.  9 10 patches in all, most of them rated Critical on the severity scale. Patch details can be found here. If you haven't run Windows Update on your home computers, do it now.

I've had an intermittent problem with the machine I use for scanning my Data Center with MBSA:  The machine sometimes will reboot itself in the middle of the scan. It finally got annoying enough for me to look into it today, and I discovered Microsoft knows about the problem, and has produced a patch.  Apparently the bug is with Services.exe, and only occurs on Windows 2000 servers.  The problem appears to happen more frequently on servers that are also domain controllers, but member servers are also susceptible. You can read KB 823644 for details of the problem, and instructions on getting the...

I meant to note this last week, when Dana mentioned it on his blog, but I forgot: Bruce Schneier, considered by many to be the foremost expert on modern cryptography, and certainly one of the most respected and sought-after voices in the information security realm, recently started a blog.

Dana dropped me an email today to let me know the schedule has been set for the upcoming West Coast Security Forum in Vancouver BC. Wow, Erik Birkholz, Tim Mullen, and Phil Zimmerman packed into a single conference, for $295 Canadian?  You can't pass that up folks. Registration should be open today.

I will be attending SecureWorld Expo in Seattle (Bellevue, actually) on Oct 26th and 27th, as well as West Coast Security Forum in Vancouver (BC!) on November 22nd. If you will be at either of those events, drop me a line.  I'll treat you to a Fat Tire. By the way, I traded emails with Dana about registration for WCSF, and he said it should be open “Any Day Now”.  So just keep checking.

Today in California, Arnold Shwartzenegger (hereafter called “The Governator” due to my complete inability to spell “Shwartzenegger”) signed a bill into law requiring existing voting systems to be retrofitted to provide a paper trail by the time the 2006 primaries roll around.  It also prohibits any new paper-less systems from being certified after Jan 1st of 2005, and prohibits the state from purchasing any paper-less electronic voting machines after 2006. California's Attorney-General still intends to sue the pants off Diebold for fraud, contending that Diebold made false claims about their product, which were not properly tested or approved prior to their use in recent...

(For previous entries regarding the looming disaster that is electronic voting, please see this post and also this post) If our ignorant (I'm being nice by not suggesting “corrupt“) state governments continue to fly headlong down this ill-advised and reckless path of electronic voting, it will no longer be a question of *if* an election will be hacked, but *when*. Let me bring you up to date, since a number of very serious issues have come to light in the past few weeks: Security experts recently discovered that the Diebold system (by far the most popular in the country) could be attacked at the...

Some interesting security gatherings coming up in the next month or two: Secure World Expo (Oct 26-27, Seattle):  2 Days of focused 45-minute talks, including keynotes from CISO-types from some of our most innovative local companies (Starbucks and WaMu), for $145. Can't beat that. West Coast Security Forum 2004 (Nov 22, Vancouver BC):  It's a one-day event, but again bargain-priced at 240 Canadian dollars. These are the kinds of events we need to see more often, everywhere.  Lots of short talks on specific subjects, and at prices nearly everyone can afford.  It doesn't have to be some travelling behemoth that you have to...

Nothing demonstrates the need for a business continuity plan quite like a bomb threat in the building next door. It was an interesting afternoon.

So I decided to upgrade my primary firewall here at bmonday(dot)com to ISA2004.  I've been running ISA2000 for a long time, and I've been really happy with it.  But there were some new features available with 2004, so I figured I'd upgrade and check it out. The installation went pretty smoothly until about halfway through my installation process it had a problem reading a file off my CD.  So I ended up aborting the installation and copying the CD to the local disk before trying the installation again. The abort seemed to go alright, it even said it was backing out all...

Microsoft put out a new command-line tool called the File Checksum Integrity Verifier (FCIV) earlier this year.  FCIV allows you to compute file hashes system-wide, and compare them to previous results using XML databases: The File Checksum Integrity Verifier (FCIV) is a command-prompt utility that computes and verifies cryptographic hash values of files. FCIV can compute MD5 or SHA-1 cryptographic hash values. These values can be displayed on the screen or saved in an XML file database for later use and verification. I am going to play around with this a bit, and see if it can be worked into FirstOnScene.  Regardless, I will...

Sorry for the number of updates I have made to FirstOnScene since I released it 2 weeks ago.  The truth is, I use it myself almost daily, and I am finding a lot of ways to improve it.  I think once I add registry dumps in the next version, development will slow down a little.  I still haven't decided whether I am going to dump the registry manually, or use an existing tool. FirstOnScene 1.3 adds support for detecting scheduled tasks, both those configured as “at” jobs, and those using the modern Scheduled Tasks facility.  This check will always be performed, no...

Articles are starting to appear on the Internet about how silly Windows XP's upgraded firewall is, since it focuses almost entirely on blocking inbound connections and doesn't really care much about outbound. The most loyal of my readers will remember me cautioning Microsoft against doing anything about outbound traffic.  Why?  Because the ability for a user to do what they want to do with their computers will ALWAYS trump security.  Read my arguments from last November. Couple that with the unwillingness of software developers to write software that can be properly secured, and support departments all too eager to tell customers to...

Just a quick post to announce the immediate availability of version 1.2 of FirstOnScene, the 10-second forensic data gatherer (actually it runs in about 3 seconds on my servers at work, in the default configuration). I have added an option to scan the local file system for files changed in the last n hours (use the /modified: option).  There are a couple of command-line tools that do this already, but they are kind of a pain to work with.  So I ended up writing the majority of this myself, with help from a couple of timely file system parsing algorithms from the...

Microsoft has recently published a detailed paper about the major changes in functionality introduced by the final version of Service Pack 2.  It's a must-read, especially if you are on the hook to roll this out across an enterprise.

My friend Mixa was kind enough to forward me a post made by Fyodor on the nmap-hackers mailing list about SP2's removal of Raw Sockets support breaking most of NMap: Date: 8/11/2004 12:31:23 -0700 From: Fyodor To: nmap-hackers@insecure.org Subject: Windows XP SP2 incompatible with Nmap All headers This is just a heads-up that most Nmap functionality will not work on the just-released Microsoft Windows SP2. Why? Microsoft apparently broke it on purpose! When an Nmap user asked MS why security tools such as Nmap broke, MS responded[1]: "We have removed support for TCP sends over RAW sockets in SP2. We surveyed...

Every once in a while (if you're lucky, more often if you're not), you come across someone pointing out such a fundamental flaw in reasoning that it makes you smack your head and wonder why you've been doing it for 10 years.  It's such an obvious flaw when it's pointed out, but you've done it for so long out of habit that it never occurred to you to question it. Such an epiphany came to me while reading Richard Bejtlich's new book, The Tao of Network Security Monitoring (awesome book, by the way). The crime? For 10 years now, in every single firewall installation I've been...

I'm downloading Service Pack 2 for Windows XP as we speak, from MSDN. 

I added auto-run scanning support to version 1.1 of FirstOnScene, which is now available here.  The auto-run feature scans the registry and file system for known auto-run facilities that are commonly used by trojans.  It's an option that you have to invoke by specifying “/autoruns” on the command line.  For more information about this feature, see this blog entry.  AutorunScanner is a stand-alone version of the /autoruns feature in FirstOnScene.  The core code is identical. I also changed the execution order when calling for a dd image of the system memory with the /m option.  It now runs first thing, when requested.  This way, the...

I couldn't find a good command-line autorun scanner for FirstOnScene, so I went and wrote one in vbscript.  Yes, that's why I'm still up at 2AM in the frickin' morning.  You know how many ways there are to get a trojan to automatically launch itself these days? Features: Scans dozens of registry entries, in HKLM and HKCU Checks startup folders in every user profile on the disk If there is anything in Autoexec.bat or Config.sys, it will warn you It checks various win.ini and system.ini files for RUN and LOAD directives It checks for out-of-place explorer.exe files (man, that's a bad one) Checks some other stuff too You can...

The “exciting project” I've been working on has finally reached a point where I can release it in good conscience. Over in the Security Articles section of the site, you can read about the new script I have written called FirstOnScene. FirstOnScene is the solution to my growing problem of how to get good forensic information off a system before it needs to be put back into production to satisfy SLAs and other uptime commitments. The result is FirstOnScene, which generates output from about 20 different tools in under 10 seconds, correlates them into a single report, and pushes that report up to...

It's been a busy week, and I'm working on an advanced MRTG article (and a secret project that you will all love!), so I haven't had much time to post.  I've had a few things I wanted to quickly mention, so I'll do it all in a quickie post and we can all get back to our beers, eh? Another Addison-Wesley book that I need to buy as soon as it ships: Windows Forensics and Incident Recovery My friend Mixa sent me a link to SecurityDocs.com, which links to over 2200 docs on information security topics.    I'll add that to my list of good...

A book that I have been anticipating all year has finally started shipping: Richard Bejtlich's The Tao of Network Security Monitoring. My copy is inbound.  I suspect this will be a cover-to-cover job as well, after taking a look at the table of contents (pdf). You know, I just realized that over half of my (substantial) book budget over the past 12 months has gone to Addison-Wesley productions.  Those folks have put out some damn fine books lately.

Those who know me, or have looked at my (outdated, I just realized) Bookshelf, know that I consume technical books.  But I don't read them cover to cover, that's boring.  I buy books mostly on the depth of their index, because that's probably the first thing I am going to look to if I need something answered. However, there are a number of exceptions. The latest exception to this trend is the 2nd edition of Know Your Enemy, by the fine folks at The HoneyNet Project.  And that's not just because of my borderline-stalker admiration for a certain former tank commander either (Lance is...

Dana linked to a great article at BleepingComputer.com that explains some simple steps you can take to see if your system has been hacked. It doesn't cover everything, but it's a pretty good start, and the process will expose 90% of the rootkits script kiddies are currently using.

If you followed my instructions for setting up MRTG on a Windows platform, you are probably logging every MRTG cron job to %SYSTEMROOT%\system32\mrtg.log.  And that log, by now, is probably in the several hundred megabytes range. I deleted a 700MB log file from an MRTG system that monitors about 30 systems yesterday. To disable logging entirely, which I recommend once you get things working smoothly, simply remove the “--logging=mrtg.log” bit from each of the cron jobs in c:\mrtg\cron\crontab and copy that to %SYSTEMROOT%\system32\crontab (you will need to halt the cron service before you copy the file over, then restart it again afterwards).  You...

Rob over at NetSec linked to an IIS Hardening Checklist over at the UW.  While IISLockDown takes care of many of these issues for you, there are some good permissions tips in the checklist. There's a couple things on it that will make it onto my Data Center Team's hardening procedure, I think.

Logger.pl is a perl-based analysis tool for analyzing the Security Event Logs from one or more Windows-based systems, aggregating “interesting“ events in a format that is much more manageable.  It's a great tool, and one I intend to start using much more often. After struggling with getting Logger.pl working on a system today, I figured I would write a quick how-to on getting it up and running: Basic Analysis of Windows Security Logs with Logger.pl I hope someone finds it useful.

I've received a number of emails from people getting the error “Possible precedence problem on bitwise | operator at c:/mrtg/mrtg/bin\..\lib\mrt g2/BER.pm line 619“, usually when running the Update_MyRouters.bat script. I've found the solution, after much investigation. Open BER.PM in your favorite text editor and change line 619 to read: return error ("Sequence expected") unless $result == sequence_tag or constructor_flag;(Changing the "|" to the word "or") Save the file, and you're golden.

Chris Dos, of Open Innovations fame, stopped by about a month and a half ago now (yeah I suck) to let me know he has updated his MRTG bundle with the latest binaries for MRTG and associated apps. This is the core package used in my recent article Installing MRTG on a Windows Platform. You can get the updated bundle at http://www.open-innovations.com/mrtgbundle.html. Thanks Chris!

I ran across this database of applications that have a habit of putting themselves in the Startup folder.  This comes in handy when trying to find out what a particular executable is: http://windowsstartup.com/wso/  

I spent the day away from work today to attend the Microsoft Security Summit here in Seattle.  It was a decent event, with a good number of attendees.  I was surprised that so few vendors showed up, but that may have been due to the space constraints. I was disappointed with the keynote speaker.  I had assumed that with Seattle being MS' home town, they could rustle up someone higher up in the food chain than a VP of Marketing.  While Andy Lees gave an engaging and informative keynote, I couldn't help but wonder why Mike Nash, Scott Charney, or even Charlie McNerney...

A reader asked me to post a cfg file for the SQL example I referred to in my recent WMI on MRTG article.  Here is the relevant entry from the MRTG cfg file on one of my database servers (named “DB01“): Target[DB01.SQL.Connections.WMI]: `cscript //nologo \vbscripts\getSQL.vbs DB01`Title[DB01.SQL.Connections.WMI]: SQL Current Connections (WMI)Pagetop[DB01.SQL.Connections.WMI]: SQL Current Connections (WMI)MaxBytes[DB01.SQL.Connections.WMI]: 10000Options[DB01.SQL.Connections.WMI]: gauge, nopercent, growright, nooYLegend[DB01.SQL.Connections.WMI]: Current ConnectionsShortLegend[DB01.SQL.Connections.WMI]: Connections:LegendI[DB01.SQL.Connections.WMI]: Connections:Legend1[DB01.SQL.Connections.WMI]:  Current Connections

I have posted a follow-up to my recent MRTG How-To.  This article goes into how to use WMI to fetch the metrics instead of relying on insecure SNMP.  I have included a number of ready-to-use scripts that should get you started.  Please feel free to email me, or comment within the article, if you discover any errors. New Article: MRTG and WMI

Stefan Lenz has translated my OpenSSH article into German and posted it on his site.  Thanks Stefan!

I swear I'd give my left eye to find an honest-to-god hub that I can throw into my laptop bag in case I need to do some impromptu sniffing. You can't buy a hub nowadays though.  Switches are all the rage.  Even devices that claim to be hubs are actually switches, but 99.999% of consumers don't care, and are actually better served by a switch anyway.  I have to go back 5 years to find a bona fide hub, and it's usually metal encased, weighs about 5 pounds, and won't fit into my laptop bag. So what is a traveling network analyst...

According to this article at Information Week, phishing attacks have increased 500% since January, and a whopping 5000% in the last year. Email is evil.

Take a careful look at the following image: See the *almost* perfect white box with the “https...“ part in it?  It's a little off there along the bottom, but it's really plenty good enough to fool most users.  That, dear readers, is a chromeless window.  And unfortunately, this one isn't a demo.  This was found in the wild recently. This particular chromeless window is covering up the fact that the user is actually visiting “http://validation-required.info“ (terminated), which is scam website in Korea pretending to be US Bank.  Users were duped into going there by a fairly run-of-the-mill phishing email from (supposedly) US Bank...

The Register recently did a story on a growing industry based around renting out botnets to ne'er-do-wells who don't have the skills or time to collect their own.  You can rent botnets by the hour, apparently, to use them for spamming, DOS attacks, or whatever nefarious deeds strike your fancy. Remember, botnets are collections of hacked PCs, usually on cable modem, DSL, or other “always on” connection.  Some botnets have been discovered that contained over 250,000 hacked machines (zombies), waiting patiently for commands from the master.  The majority of recent worms and other large-scale viruses have been specifically designed to turn the infected systems into...

AngryPacket.com has published Richard Stevens' book “TCP/IP Illustrated, Vol 1: The Protocols” as a pdf on their site.  As you may have noted from my bookshelf page, this is probably the first book any network analyst buys (or maybe Comer's book, for some).  I actually have 2 copies myself, one for the office and one for the home office.  (I have a copy of Comer's book too, but I prefer the Stevens text) You should have a copy too, even though you can read it for free thanks to AngryPacket.

The folks over at NetworkNewz recently asked if they could reprint my recent MRTG how-to in their periodic newsletter and on their website.  I feel strongly that publishing articles and whitepapers is one of the most important ways we “give back“ to the community, so I immediately agreed. You can see NetworkNewz.com's reprint of the article here.

(This one is more for my own personal archival purposes.  This blog makes a handy centralized notepad sometimes.) I recently had occasion to configure my ISA firewall at home to allow outbound IPSEC traffic to a remote Checkpoint Firewall-1 NG termination point.  The folks over at www.isaserver.org have written a quick vbscript to do the needful on the ISA firewall.  Run the script, restart the firewall service, voilà!  This is one of the handy things about ISA, the fact that it's entirely scriptable. Enjoy.

In my recent article on getting MRTG up and running on a Windows host, I failed to recognize what appears to be a bug in Routers2's installation package when you go to upgrade to the latest version. If after upgrading to the latest version of Routers2.cgi, it still claims to be v2.11 at the bottom of the web page, you must copy routers2.cgi to index.cgi in your \mrtg\wwwroot directory.  This doesn't appear to happen automatically by the installation script (at least not on 2 separate systems I have been testing with). I have corrected the “Upgrading Routers2.cgi” portion of the article to ensure...

The long-awaited article about getting MRTG going on a Windows server is now available.  There will be follow-ups about tweaking MRTG's features and doing WMI and PerfMon graphing, but this should get you started. Installing MRTG on a Windows Server Please leave comments or send me email regarding any errors found, or other feedback. Enjoy!

I've been very busy working up some how-to documents on using MRTG in a Windows environment to monitor server and network health.  This has been a very challenging and time-consuming project, since it involves so many disparate technologies (MRTG, SNMP, WMI, VBScripting, RRDTool, etc).  And like many things Open Source, the documentation is all over the place. My goal is to come up with a solid how-to, similar to the one I recently did for OpenSSH.  I should have that done in another week or so.  In the meantime, check out some of these near-real-time performance metrics on the site here. ...

This month's Reckoning Day came and left in its wake a mass of busy admins.  I dreaded going into work today, especially with Microsoft re-arranging the security execs the day before Patch Day.  That's what companies do to CFOs the day before they announce crappy earnings, so I knew that didn't bode well for today's patch announcements. Anyway, when word came down from on-high, the tablets spoke of 20 vulnerabilities, some old and some new, combined cleverly within a quad of patches. If you haven't visited Windows Update today, drop everything and go do it. . . . What, you think I can't see that you're not going...

I have a few things I need to remind myself to read over the next few days, and it might as well be here: 11 Port Enumerators Compared Virtual PC 2004 FAQ Blog of a couple Japanese Security MVPs Advanced Security Reporting with Nessus (.doc) MACS: Microsoft's long-awaited log management facility (just for security logs though?) www.infosecwriters.com IDS Policy Manager for Snort

So over the past few months I have been running into this bizarre problem with the Windows 2000 event logs appearing to be empty when they were very much not.  You would open up Event Viewer, selected a log, and nothing would appear in the right-hand pane.  You could click on individual lines in the pane, but trying to open or manipulate these invisible event log entries was fruitless. Additionally, exporting the logs to other formats had no effect, and neither did viewing the logs remotely, or viewing them with 3rd party tools.  The only thing that seemed to right the...

I can't believe that Cisco, of all companies, would allow a developer to put a hard-coded backdoor into two of its products.  The embedded username and password, which cannot be changed or disabled, allows attackers to gain full admin-level access of the devices. There is no single networking company that the Internet (and Big Business) is more reliant upon than Cisco.  And for them to allow this kind of thing to happen in any product they ship is horrifying. Heads better be rolling.

Anil came to my rescue recently by sending me his config file and walking me (via MSN Messenger) through some troubleshooting steps to get my OpenSSH working on my Windows XP “server”.  I'm hoping we can hook up while he's out here for the MVP conference next week.  I owe him a beer or 8. Anyway, seeing how I went through every single Google hit on “OpenSSH windows putty 'server refused our key'” and came up with lots of “maybe try this“ stuff but no concrete solutions, I thought it was time to add an article to the pile, one that hopefully...

A paper (pdf) was recently published about a field trial conducted at the CeBIT 2004 show in Hannover.  The experiment was aimed at quantifying the exposure of current Bluetooth-enabled devices to BlueSnarfing attacks. Remember what BlueSnarfing is?  Here's a refresher. Up until now, handset manufacturers have considered BlueSnarfing to be a harmless activity.  But I don't want my contacts exposed to strangers, nor do I want them to be able to use my phone to initiate an unauthorized SMS message or a phone call.  It's also possible for BlueSnarfers to overwrite contact information, or even to add entries.  I don't think my wife...

I had a meeting today with the Data Center folks, who I work very closely with (I'm in charge of security at the Data Center, see).  The topic was “Incident Response”.  Now when someone says “incident” to me, I think “security incident”, but to 99.99999999% of the world, it means simply “something unexpected happened”. Now the data center folks have a job to do:  Get the system(s) back online as quickly as possible.  If a system is down for more than 5 minutes, it triggers a slew of customer alerts and sundry other things.  This, among many other things, the DC team...

I got this phishing email in one of my test mailboxes overnight: Your credit card will be billed at $22.95 weekly and free 3 pack of child porn CD is shipping to your billing address. To cancel your membership and CD pack please email full credit card details to dnsadmin@tucows.com Ready to enjoy all types of underage porn? We have the best selection for every taste! Click the secret link below and have fun... www.[obfuscated].com Contact us: http://resellers.tucows.com/contact_service You can order by phone:1- 416-555-5555 (obfuscated) So, in order to avoid getting illegal kiddie porn in the mail, you have to send them...

There is an interesting book coming out next month called "At the Abyss: An Insider's History of the Cold War", by Ballantine Books.  It's written by Thomas Reed, who worked at varying levels of government, including a stint as Ronald Reagan's Secretary of the Air Force. What does a book about the cold war offer to interest my readers?  I'm so glad you asked! Indulge me for a moment, while I give you a little history lesson: In 1981 the CIA discovered that the Soviet Union was pillaging American (and other Western) technology at an alarming rate, starting way back in 1970.  They were...

Fyodor announced today, on the BugTraq mailing list, the immediate availability of NMap v3.50. As most of you know, NMap is the defacto standard in the security realm for vulnerability scanning and host fingerprinting.  It also would have ranked #1 on Fyodor's 75 Top Security Tools had he not disqualified his own utility from being voted on and appearing on the list. The changelog for NMap can be viewed here. Thanks Fyodor, and everyone who contributes to the NMap project, for such a fantastic piece of software. Edit:  NMap was the utility used in the movie Matrix Reloaded to scan the power station network...

A new exploit has been found that will circumvent Pepsi's process for giving away free iTunes music downloads. The advisory for the exploit includes Snort rules to detect this attack. No word from Pepsi on a patch. Heh.

Microsoft has finally released a Windows Security Update CD in consideration of all the modem users who find their systems have been hacked before they can download and install the necessary updates over the Internet.  (Have I mentioned that most new systems are probed for weaknesses within 15 minutes of being attached to the Internet?). It's free.  Go get one.

According to a recent press release by antiphishing.org and Tumbleweed Communications Group, phishing incidents increased by nearly 50% in January compared to the previous month. I made a quick graph of the number of phishing incidents reported to antiphishing.org over the past 3 months, and the trend is disturbing: As you can see, scammers are really taking a liking to phishing as a means to bilk money from unsuspecting victims. It's interesting to note that 32% of the phishing attacks monitored during this period relied upon the recently-addressed IE feature that allowed web addresses to include user credentials in the URL.  Recent patches to Internet Explorer...

Cyberguard recently published an article by Gideon Rasmussen detailing the network traffic that is generated by a normal HTTP request. It's a great example of common traffic if you are just getting your feet wet with network analysis. (Thanks JOAT)

As tax time approaches, one of the issues that has come up recently is the effect offshoring is having on financial sectors, like the tax preparation business. According to a recent report on 60 Minutes, roughly 200,000 U.S. tax returns will will be prepared by Indian tax preparers, nearly a 10-fold increase over last year.  In many cases, without the client even realizing it. In fact, entire businesses are springing up to handle the offshore tax return preparation business.  Take, for instance, SurePrep, a company based in Bombay and soliciting US accounting firms to send them their tax return business.  “What if...

If you need to find out the regulations for exporting an encrypting VPN device to Lithuania, this is where you can get a brief overview of the cryptography laws in about 70 different countries. A guy I know once told a German customs agent that a small VPN device was a “hub” because he wasn't sure if he was breaking the law or not by carrying it into the country.  Don't be that guy.

As most of my readers probably know, because it's been all over the news, the source code for Windows NT4 and Windows 2000 was leaked to the Internet late last week. The first of probably many bugs resulting from this exposure has been identified and published. The bug involves a buffer overflow in the way Internet Explorer v5 (subsequently fixed in v6) handles gif images.  IE5 is the browser version that ships with Win2k. This bug is a non-issue if the machine is properly patched (which will likely be the case for 99% of the bugs that are found in this obsolete source...

You can see a little bit about some advisories eEye is sitting on by going here.  A couple of these are over 5 months old.  I wonder what would prompt a company like eEye to sit on an advisory for so long?  They must be doozies, if the last bug they concealed for so long is any indication.

There is a new article on SecurityFocus that includes a handy checklist for securing your Windows computer(s) at home.  I haven't gone through the entire thing for accuracy, but I think it should prove useful to a lot of my readers.  Go get it. And actually, I have to admit to never running RegClean on any of my home systems.  You learn something new every day.

If you run Sophos as your virus protection, run don't walk to their site and get your software patched. There are 2 major holes in the product that will cause either a virus to slip past the scanner undetected, or cause the virus protection engine to keel over under an infinite loop condition.

Paul at E2K Security notes that the Microsoft Exchange Team is now doing a blog with a terribly clever name: “You Had Me at EHLO”. Only a few post up so far, but it really looks great so far.  Let's hope they continue shining some light on the dark places within Exchange.

I forgot to mention: Microsoft also has recently released a cumulative patch for Internet Explorer, fixing a number of issues. Most interesting, at least for my readers, is the fix of a certain flaw that made phishing a bit easier.  Now, when clicking on the malicious Citibank link in my previous article IE delivers a “Syntax Error” and does not take you to either the spoofed site or the real one. I guess that's ok.  But hovering over the link still shows the wrong information.  That needs to get fixed too, I think. I'm still not using Internet Explorer, by the way.  MyIE is...

Patch day came and went, and Santa delivered us some very critical patches this time around. First, a disastrous buffer overflow in a key security algorithm was discovered about 6 months ago by eEye, who graciously kept it to themselves while a patch was developed.  Microsoft has finally worked out a fix and has published it.  There are no words to adequately communicate how critical this patch is.  If you haven't run Windows Update since before Tuesday, stop reading this and go do it now. Also, 2 other patches were released, tagged Important: MS04-005 addresses an issue with the VirtualPC product on Macs. MS04-006...

CNET's News.com is reporting on a flaw in Nokia's bluetooth implementation that was made public today by security research firm AL Digital.  They claim that certain handsets from rival Sony-Ericsson are also vulnerable to this type of attack. The vulnerability allows an attacker to attach to a victim's device via Bluetooth, and access sensitive data, including address book and calendar information.  The attacker can not only read data (we've known about that one), but also write new information and delete entries.  There is also the possibility that the attacker can actually utilize the phone's connection to send SMS messages and browse the web...

The concept of “port knocking“ has recently been discussed in places like Slashdot and LinuxSecurity.  I think it has merit, and should not be dismissed so readily. The basic concept is that a firewall has ports for a particular service closed until it receives a sequence of connection attempts on a pre-defined set of unrelated (and closed) ports.  If the sequence is correct, the firewall dynamically opens up the designated service and allows the client to connect to it normally.  One advantage of this kind of security method is that attackers have no idea what services are running on the target system because the...

There is a fascinating article on Aerasec's web site about a fairly unexplored attack vector dubbed “decompression bombs”.  It's not all that new, decompression bombs were seen in the early 90s during DoS attacks on FidoNet sites. The basic concept is that malformed (not really malformed, but just really really big) files are compressed (using gzip or whatever), and then sent to the target system.  When the target system attempts to unzip the files, the application will often crash, and in some cases, render the entire system unusable. Where this really has a high impact is corporate virus gateways that scan files for viruses. ...

This sorta started out as a quick blurb about 2 handy tools I use to decipher hexadecimal URL strings, AsciiTable.com and the URL Encode/Decode page at Albion Research.  But it kinda grew into why I needed these things, and then I couldn't really tell the story without, you know, telling the story, and we ended up with this novella.  This is grade-school stuff for most security folks, but I have a lot of innocent bystanders reading my blog too, and I hate to pass up the opportunity to educate an end user on how to identify an email as a phishing expedition.  So...

Microsoft on Wednesday announced that they will be updating Internet Explorer soon to disable the ability to provide user credentials in HTTP and HTTPS URL strings. This feature has recently been exploited by scammers who have used weaknesses in the routines to trick users into going to malicious web sites.  (I covered these issues in depth, in my phishing expose “Phishing For A Living” and the followup “Spoofing the Address Bar in Internet Explorer”) While this change will certainly generate some heartburn for a few web developers, I applaud it.  Nobody should be sending user creds over the Internet in URL strings anyway, I can't think of...

Dana discovered a new document put out this month by NIST, providing some great guidance with regards to incident handling. I've only skimmed it, but so far it looks excellent.

So I finally took some time out this past weekend to have a hard look at the new version of Internet Connection Firewall that will come with Service Pack 2 for XP. It's good.  Actually, it's better than I dared hoped for. My fears that it will be too complicated for the average home user are completely unfounded, if this beta version is a fair representation of what will be in the shipping service pack.  I am able to run Everquest, Star Wars Galaxies, and other online games without all the configuration hassles that prompt users to disable similar firewalling products from...

I saw a post on Scoble's blog about a recent meeting he had with the head of Microsoft's IE team.  It's fairly enlightening.  They say the site spoofing bug that I have been railing against for the last month has been unusually difficult to squash without causing other issues, but they are working hard on the problem. Yes, those guys need a blog, badly.  The lack of outward communication is leaving us with conjecture and speculation as the only source of information about bugs and other issues relating to IE.  It should be noted that many people (myself included) have been...

I'm stunned that Patch Day has come and gone without a single update to Microsoft's most popular and most bug-ridden application, Internet Explorer.  Some very critical bugs remain unpatched, and worse, are actively being exploited in the wild. Phishers started using the new address obfuscation techniques only a week after they were announced to the world, reports SecurityFocus.  Bank of America, Citibank, PayPal, Earthlink, Barclay's and Lloyd's have all been targeted by the new enhanced form of phishing made possible by this egregious bug in Internet Explorer since the bug was first made public 5 weeks ago. Is there anyone left on the...

Microsoft is releasing 3 fixes for the month of January: MS04-001 concerns a flaw in ISA Server 2000, Microsoft's firewall/proxy product.  This patch is deemed critical, as it allows remote command execution MS04-002 is a moderately severe flaw in Exchange 2003 that could allow privilege escalation MS04-003 is yet another MDAC buffer overflow, that Microsoft deems “important“ in severity.  This patch replaces the one provided in MS03-033 Enjoy!

This happened a couple months back, but I am just now getting around to commenting on the issue: I was troubleshooting a problem I was having with new servers in my lab.  They would run for about 5 minutes, then suddenly drop off the network.  They would still be attached to the network, but any network traffic sent to them, or sent by them, seemed to get stomped on.  This behavior occurred on multiple new systems, and was driving me insane. So at some point I fired up my EtherPeek packet analyzer and pointed it at the port one of these misbehaving...

According to this Wired story, a recent analysis of executables available for download on the popular file sharing service Kazaa showed that nearly half the files downloaded contained some form of malware. The malware ranged from trojans that turned the downloader's computer into a spam relay, to programs intended to search through the system looking for personal files and passwords. Always look a gift horse in the mouth, because you might find it full of trojans.

Yes, I know I promised to give the Beta a try and report back on how it does.  But I haven't gotten around to it for several reasons, first of which is that it took some time for Microsoft to put the (400MB!) ISO up on MSDN so people could download it. And then it became a factor of my motivation level, which has been staggeringly low lately.  (“Staggeringly“.  Hmm.  First time I have ever used that word here I think.  I think I like it!) Anyway, Security Pipeline recently wrote up a nice first-look at the Service Pack.  So go there...

Microsoft has released the first Beta of Service Pack 2 for Windows XP.  I was not on the initial list of beta testers, but thanks to a friend of mine at Microsoft (who will remain anonymous, lest he gets swamped with similar requests for Beta membership), I am now.  I hope to get the CD in a few days so I can have a look. Then perhaps, as my friend suggested: “You can stop complaining”. We'll see.  My biggest fear right now is that ICF (or Windows Firewall, as it is now called) has been enhanced to the point of being immediately...

After reading the explanation put out by Microsoft today regarding the address bar spoofing bug, where they explained how the end user should copy and paste the shortcut into Notepad to protect themselves instead of providing a damn patch, I decided to give up on Microsoft fixing Internet Explorer.  All hopes seem to rest on XP's Service Pack 2, so we're pretty much on our own until they ship that in 6 months. I have moved now to MyIE2, which has all the features of Internet Explorer, with the added bonus of being maintained and updated against new exploits as they come out. ...

Chris Pirillo did a very nice job detailing the changes going into Service Pack 2 for WindowsXP. All we have to do is hold our positions for 6 more months, people!

There are currently 20 known vulnerabilities in Internet Explorer that have gone unpatched.  Some have been known for nearly 2 years.  The list used to be maintained by Thor Larholm at Pivx, but they took it down for reasons that are still unclear (and often speculated about, seeing how Microsoft now appears on Pivx' client list).  Thor states that the page had “served its purpose“.  20 vulnerabilities still unpatched, Thor.  That doesn't spell “Mission Accomplished“ to me. These issues have gone unpatched because Microsoft considers them all “low risk”, and maybe individually most of them are.  However, thanks to diligent work by Lie...

One of the IE exploits Liu Die Yu announced in November, and Microsoft opted not to patch against in December, is one that allows a web site to upload an executable file to your computer and then execute it.  All the user must do is go to the malicious web site.  No other action is required to trigger the exploit. For a great (and harmless) demo of this issue, turn off your popup blocker and go here. Scary huh.

Due to the malicious code I had to use in order to demonstrate the newly-discovered Address Bar Spoofing issue, my RSS feed would not pass validation.  RSS feeds that do not pass validation are often not read by aggregators.  While the aggregator I use, FeedDemon, downloaded and displayed the post just fine, the aggregator 60% of my viewers use, FeedReader, displayed nothing.  Also, several sites automatically suspended bmonday(dot)com from their blogrolls because of the validation failure (thanks Jose Nazario at infosecdaily.net for emailing me about that issue). So, what I ended up doing was deleting the offending post and resubmitting it as a “story”...

As Dana pointed out, Microsoft today published their first Security Newsletter.  You can view it online here.

Yes, I know a huge browser flaw has been found this week.  I am working on a blog entry about it, but I want to wait until I update my Phishing Scam demo so I can demonstrate how devastating this issue can be, especially for targets of phishing scammers. In the meantime, you can read about the problem (and see if your browser is vulnerable) by going here.  The web site says it's an IE bug, but it was confirmed that Mozilla is also vulnerable to this issue.

The Holidays is traditionally a busy time for hacking activity.  One of the reasons is the fact that a lot of script kiddies have the holidays off from school, and have nothing better to do with their time than mucking with someone else's network, trying to score some credit cards to use for holiday shopping.  Then there is the fact that a lot of IT staffs are on vacation, or at least short-staffed, during this time of the year.  So that gives courage to the *real* hackers, who count on slipping unnoticed past the remaining over-worked staffers that emptied their vacation pool attending Oktoberfest. The combination...

If you were like me and missed the majority of the webcasts Microsoft did last week during Security Webcast Week, here's your chance to catch up. You can get on-demand replays of all the webcasts by going to the Security Webcast Week site and clicking on the session you want to see. I only caught one webcast last week, and saw 2 more so far in repeats, but they seem to have been very informative.

So Microsoft opted not to ship any patches this month.  Not because there was nothing to fix.  But because they weren't ready. This is a very dangerous game for Microsoft to be playing, for a number of reasons: Responsible Disclosure only works when the vendor is responsive about fixing the problems.  I will bet money that at least one of the researchers who have been working with Microsoft to get these vulnerabilities fixed will not wait another month before going public with the issue.  The reasoning will be something along the lines of “Microsoft needs to be reminded about what happens when they are slow with...

I am going to be doing some research on hostile web sites and I'm looking for some tools to use.  Basically, I want to set up a honeypot of sorts, that I can use to surf to various sites and find out if they are doing anything evil as a result. The goal is not to test a particular browser's ability to repel such attacks, the goal is to identify and capture the attacks (successful or not). I have some ideas of how to conduct this research, involving a mix of packet analysis, Snort and Tripwire-ish utilities, but that is looking like a huge...

Patience is running out at the legislative level, it seems, for convincing companies to do the right thing with customer data. This has been an increasing number of comments coming out of various government agencies about the continued failures of corporate America to do the right thing when it comes to protecting consumer information, and protecting their networks from cyberattacks.  Scary comments, like "We are not going to let anybody who operates in this space dodge their responsibility, and I will be sticking my finger into people's chests to make sure they live up to their responsibilities." (Robert Liscouski, assistant secretary of...

One of the Security Webcast Week webcasts that I have been eagerly awaiting is the one entitled “Using the Microsoft Security Tools” that plays tomorrow (Thursday) morning.  This should be a great demonstration of how the varying tools are used together to implement (and audit) security on the Enterprise. It better be good too, because I'm dragging my lazy butt into the office at 8:00 AM to catch it :)

The SANS Institute is giving a free webcast on Wednesday about how to hack-proof your identity.  It will be conducted by Cisco's Director of Corporate Security, John Stewart.  Don't miss this one!

Just a reminder that Security Webcast Week starts today on Microsoft's Technet site.  Lots of good security information should be flowing at these webcasts, so don't miss them.

I've made no secrets about my personal belief that the power outages of August 2003 were a result of cyberterrorism.  I have no facts to base this opinion on, aside from an avalanche of circumstantial evidence, and the fact that everyone acknowledged it was possible to conduct such a strike due to the insecurity of the SCADA systems.  And then there was that Slammer attack in January that forced the Davis-Besse nuclear plant offline. Well, the DOE has finally published their initial findings.  The thing is huge, and I haven't had a chance to really read it closely. The notable quotes so far from...

During a discussion on BugTraq this week regarding a recently-discovered vulnerability in OpenBSD's kernel that could cause the system to crash, a developer on the FreeBSD project chimed in with this gem: “...it isn't really a security issue, the bug puts the system into one of its most secure states: halted.” Oh boy, I wish Microsoft could get away with saying a crashed system is just a system in its “most secure state”. Priceless.

I wanted to also address the growing number of black hats that are using the techniques I just described for getting the users to install malware on their computers under the guise of a security patch.  But I didn't want that message to be lost in all the images of my original post. It is critical, as members of the Internet community, that end users put some thought into what they do on their computers.  Black hats are using techniques similar to the ones below in order to trick users into installing trojans and other malware onto their computers.  One click and...

I don't have a problem with popup ads, really I don't.  I will not think less of a company using them as a marketing technique.  Of course, I use Google's popup blocker, so I don't see them any more anyway. But what really chaps my ass is companies using plain old lies and deceit to sell their wares to an unsuspecting user. For a prime example of this shady sales technique, I present the following popup ad (pop-under ad, technically) from a company called inKline Global: inKline has gone through an awful lot of trouble to make this look like a page from...

I stumbled across this gem while I was looking for a webcast that supposedly happened this morning (to no avail!). Microsoft is dedicating an entire week to Security webcasts on the Technet website.  Being on Technet, the webcasts should be fairly detailed, designed for IT professionals. Topics include: Penetration Testing, Vulnerability Scanning, and Security Auditing Designing a Secure - Reliable - and Usable Patch Management Infrastructure Using Portable Handheld Devices in a Secure Manner 10 Things Hackers Don’t Want You To Know So far there are 13 webcasts scheduled for the week.

Dana posted last week about Microsoft's new Security Update CD.  It appears to be one of the deployment mechanisms being considered for the upcoming Service Pack 2. This is a welcome change from the current download-only patching mechanisms.  Downloading a 300MB service pack over a modem connection is not something users are looking forward to.  And I know that has long been a defense users offer up when charged with being lazy about patching. I would love to see Microsoft offer updated CDs on a quarterly basis to anyone who wants them.

CERT has recently published a new website dedicated to securing your home computer.  It goes through the basic threats to the home computer, and runs users through 9 “tasks” to make their systems more secure.  It's written at a really basic level that anyone should be able to understand. This is a great resource for home users who need help getting a handle on securing their systems at home. Update:  Actually, this document was written over a year ago, according to the dates on the pdf file.  Weird.  Still chock full of yummy security goodness though!

One of my favorite sites for security editorial content is SecurityFocus.com (owned by Symantec, actually, but you'd never guess it). Yesterday one of their writers did a really interesting article on the troubles Diebold has been having with their e-voting machines, now that we've gone through a real election using a good number of them across the nation.  To recap quickly, Diebold is the manufacturer of the most popular (by far) e-voting platform in the country.  And they are a major contributor to the Republican Party.  And their CEO has vowed to deliver Ohio to George Bush in the next election. ...

I meant to blog about this, but I forgot until Dana Epp reminded me (Dana's site is one of my top 5 right now, really informative stuff): Remember a few months back I blogged about some new Bluetooth vulnerabilities that were starting to come to light? Well, since then, the white hats have been hitting Bluetooth right in the kisser, and the folks at A.L. Digital have uncovered some real doozies.  The worst one of them will allow a remote bluetooth device to attach to your device and download the entire contents of your device, including contacts and other personal information. Now, as was the case...

Michael Howard sent an email to the NTBUGTRAQ mailing list this morning with a link to a new document at Microsoft that details what developers need to understand about Service Pack 2 for Windows XP. Lots of good information in here, I encourage everyone to give it a read.

Here is a page from Microsoft about how to stop Messenger spam on Windows XP.  Their solution?  Disable the Messenger service. How about enabling the built-in firewall instead?  Then you won't have to worry about what ports are listening on your system.  I think that's a better solution for securing an end-user's system.  If your system is exposed enough to receive Messenger spams, you have much more to worry about than annoying little popups, trust me. I find some of Microsoft's security suggestions to be a bit puzzling at times.

Thundermain maintains an RSS feed that tracks changes on Microsoft's download pages.  This is an awesome tool to get a jump on security patches, since they are often posted to the downloads site prior to being published. Get the feed here.

Microsoft recently posted an Excel spreadsheet that details the tcp and udp ports that the operating systems use.  Good to know!  (thanks Scoble)

As you read here and elsewhere, Microsoft recently began offering bounties for information leading to the arrests of major virus/worm authors.  Topping the list are the authors of SoBig and Blaster. It's a good start, and I hope the efforts bear fruit.  Sadly, law enforcement agencies in the US have not been very effective providing a deterrent to hackers.  Let's hope some good old fashioned greed will get these miscreants captured, and give pause to those who are considering like courses of action. Some are proposing bug bounties, as a way to encourage researchers (and I use that term loosely) to submit...

I guess Microsoft is now toying with the idea of updating Internet Explorer in the upcoming (?) Service Pack 2 for Windows XP.  The new feature will stop pop-ups. I've ranted often enough about my many concerns with SP2, so I will spare you.  I will say only that they better not be delaying the security changes we desperately need so they can put a damned popup blocker on IE (which you can already get from people like Google). Update:  Let me add that if they decide to add a popup blocker to IE as part of this “service pack” they better...

Steve turned me on to a great MSDN article that documents the specific changes being implemented in Service Pack 2 for Windows XP. I still feel strongly that ICF should be enabled as an inbound-only firewall, even though Steve (and Microsoft) disagrees with me.  Let's just say I don't have a lot of faith in end users or software developers.  Can the new ICF be successful without a new level of commitment by both sides?  That remains to be seen.  Perhaps I'm too much the cynic.  I would love to be proven wrong.

By the way, I finally added Michael Howard's blog to the BlogRoll on the right.  I would have done it sooner, but he seems to have been having trouble with his site the past few days. Mr. Howard is one of the guys calling the shots with regards to security in Microsoft products.

Robert Scoble and I traded comments late last night on his blog about the upcoming service pack for XP, and the expected changes to ICF.  I went to bed a bit stunned after reading his initial reply (bold emphasis is mine): “Beau, I hear you, but there are other nasties coming and we decided to fix a few more than just the firewall, since we know many people will simply turn off the firewall (I saw this happening over and over at the PDC).  Beta starts in mid-November.“ I tossed and turned all night, trying to understand the logic of this decision,...

It could have been so simple.  Just ship the service pack that enables ICF and includes the post-SP1 fixes.  Why in the world is it now being pushed back until Q2 of 2004?  Why do we have to wait another 8 months for such a simple batch of fixes? The reason why SP2 has been pushed back until Q2 of 2004 is because Microsoft is using it as a test run of a new project called “Springboard” that will slowly introduce new Longhorn security technologies into existing products.  One of them is a new memory management feature that will help combat buffer...

This is just getting worse and worse. Seems with Panther they dropped support for a number of their hardware platforms.  Certain models of the G3 line will not run Panther.  If you use that hardware, you are out of luck on security patches because you cannot upgrade to Panther. People are saying Apple has only had 2 days to come up with patches, and to give them time.  Wrong.  @Stake says they notified Apple of the core overwrite issue in July and the DMG issue in June.  Apple has had plenty of time to produce patches if they so desired.  If we see...

If you own a domain, and you have followed the rules, domain registrars store some pretty sensitive information about you, like your home address, your name, your email address, your phone number, etc.  This information is collectively called the WHOIS database, after the service/tool that is used to query it for information.  Your domain can be taken away from you without notice if they find out you have provided false information to the registrar. Unfortunately, also because of the rules, this sensitive information is freely available to anyone who requests it, including spammers and identity thieves.  There is no effort made to qualify...

Let's talk a moment about the art of “phishing”, shall we?  This ain't your daddy's fishing, no sir.  Phishing is the term being used to describe theft of credit card information, username/passwords, and or identity information using a combination of email and bogus web sites. Consider, if you will, the following email from what appears to be Citibank: Oh crap!  They are going to cancel your checking account unless you clicky the linky!  So you do, and it takes you to something like this...  Looks like a Citibank page, doesn't it?  But is it really?  Where did I *really* send you?  Take a...

I ran across this on a security site yesterday, but now I can't find the source.  So I apologize for not giving props. PBS' Frontline did a feature called Cyberwar that was an hour-long show on the growing threats of cyberwar and what the US is doing about it.  If you follow the link you can watch the entire show in 6 segments. It includes an entire segment on how vulnerable the US power grid is to attack from the Internet.  And this was back in April, well before the big (still unexplained!) power outage in the Northeast. Very fascinating stuff.

Over on the Incidents mailing list there is quite a bit of discussion about a new variant of the CoreFlood trojan that seems to be cropping up lately.  This is classified as a trojan, not a virus, since it does not attempt to propogate itself to other systems. The interesting thing about this one is that it is designed to help spammers obfuscate the source of their emails.  Basically it turns the infected system into a mail relay for spammers. Here's how it works: The first time it starts, it attaches itself to every running process on the system so that it cannot...

So in addition to enabling XP's built-in firewall, Service Pack 2 will also disable the Messenger service.  Which will no longer function anyway, because the built-in firewall will stop any traffic aimed at it. Uhh.  Ok.  Whatever. I guess it's good in the case of people disabling the firewall.  But I have always argued that if you letting in enough types of traffic to allow spammers to talk to your Messenger service, you've got much more to worry about than a few annoying popups. Messenger seems like such a silly thing to disable, when on a system with no firewall protection there are...

That's what Apple is telling customers so far with respect to a flurry of vulnerabilities in OS X.  The recommended fix for the vulnerabilities?  Upgrade to Panther, the 10.3 version of the OS.  Problem is, upgrading to Panther costs $129. As of this posting, Apple has not released patches for these vulnerabilities for any previous version of the OS.  They have stated publicly that they will not provide patches for obsolete versions of their products.  Their tact has been, and continues to be: “We write patches for the current version only“. Microsoft is just now phasing out support for NT4, but even then will...

Seems AOL has taken it upon themselves to shut down the Messenger service on their customers' systems without any notification whatsoever.  The service has been an increasingly-common vector for spam, and by all rights it has no purpose on a system at a user's home.  AOL's heart is in the right place, but their methods left a little to be desired. OK, I know I have gone on and on (and on!) about how the end user can't be relied upon to secure their systems, but I'm having an issue with how AOL went about this.  You can't just go around shutting things off...

As I reported last week, AT&T was exploring the idea of using whitelists to cut down on their spam intake, since blacklists are going the way of the dinosaur under the crushing load of DDoS attacks by spammers. It seems they quickly scuttled that effort once it became public.  You can read the resulting story over at MSNBC (thanks bmonday(dot)com reader John for sending me the link). Whitelists might work for some small companies, but can you imagine how enormous that list would be for a company the size of AT&T?  They would have to have dedicated staff just to manage it on a...

I really need to stop reading SlashDot, since all it does lately is piss me off. Today's dose of Fear Uncertainty and Doubt (FUD) is a story that ran in the New York Times (I expect FUD from them!) about the "impending IP crisis". For those who are not familiar with the concept, there are those who believe that we are going to run out of IP(v4) Addresses on the Internet in 2005, and that we need to adopt the successor (IPv6) asap to avoid the certain doom that will come about when some guy in Hoboken plugs his e-kegerator (I'm...

I'm frustrated by the current state of network security. I need to ramble a little bit. Bear with me. Operating systems, and the applications people run on them, are not perfect. This is a fact we all accept (except you Linux types, you guys are just in denial). If you want a 100% secure box, unplug it from the network, lock it in an airtight steel chamber, and dump it into the Marianas Trench. But that's not very useful is it? We all have known how incredibly lax users are when it comes to keeping up with patches. Do I need to...

This is a message to all the home users out there. I apologize in advance for the bluntness, but the message has not been sinking in. If you have a system at home, and it is not protected by some form of firewall (either hardware or software), your computer is a potential weapon of cyberterrorism. If you do not regularly monitor the appropriate vendor sites for important updates to the software you are using (like the OS itself), your computer is a potential weapon of cyberterrorism. If you do not use antivirus software, and keep it updated (yes, that means you...

On Thursday, Microsoft laid out their plan to secure the users of their products. Unlike the Trustworthy Computing Initiative, which is focused on writing secure code, the new efforts will focus on making the lives of end users easier.Specifically, Microsoft will focus on the following efforts:Enable ICF by default: Internet Connection Firewall, or ICF, is a surprisingly capable personal firewall package built in to Windows XP. Sadly, few people know about it, and fewer still know how to enable it (it's a checkbox, it takes 3 seconds to enable). Microsoft will be modifying future editions of...

I'm annoyed by Windows Update (WU). I get annoyed by a lot of things, but today I'll stick with just this one. I'm making no promises about tomorrow, so don't get excited.Have you ever loaded up a clean install of Windows XP, and then run Windows Update (which should be the first thing you do. Don't make me come over there!)? Have you ever noticed that there are like 33 critical patches that you have to apply? Have you ever noticed that nearly ALL of them have the same exact description (say it with me...

I spent some time reviewing the video of a recent talk Microsoft CEO Steve Ballmer conducted down in Silicon Valley on Monday. I have been wondering what MS was going to be doing with the antivirus technology it purchased from GeCad a few months back.Initially I thought they might go and integrate it into Windows, yet another in a string of great products that gets glommed into the OS as a permanent feature. However, after reviewing Ballmer's recent statements, I think Microsoft is pursuing the development of an antivirus appliance that sits outside the firewall and intercepts virii...

As I reported back in July, Linux continues to grow as the target of choice for hackers. The most recent study puts the ratio at 67% of successfully penetrated servers are now Linux, and 23.2% are Windows-based.I think this gap will only continue to widen. As the "Linux is more secure" propaganda continues to suck in people with fewer and fewer Linux admin skills, the number of poorly-configured (read: vulnerable) Linux boxes will continue to rise. The vast majority of Linux distributions are not secure out of the box, just like Windows is not secure out of...

Not sure why I have sat on this site for so long, it is useful for the home user. It details how to enable the built-in firewall capabilities of your OS, if it has it. It also walks the user through the update process and a few other things.If your OS does not have built-in firewalling capabilities, you should consider upgrading to at least Windows XP. But the site does give some good tips for those running older operating systems as well, so it's still worth a look.If you are a home user, you should go through...

Microsoft today released an updated patch for the RPC problems originally addressed in MS03-026. The new patch, dubbed MS03-039 supercedes MS03-026.I am trying to determine if the new patch addresses the attack vector that still remained after applying MS03-026. X-Force was not credited in the advisory, and there is nothing on X-Force's web site about the new patch, so I am not sure. Regardless, this is a critical vulnerability, similar in scope to the one exploited by Blaster. You know what to do. Patch!UPDATE: According to CERT, the new patch finally addresses the previously-unmitigated...

Hello folks. Just a friendly reminder that Microsoft is no longer providing patches (including critical security updates) for Windows 95 or 98 as of July of this year. If you are using either of these operating systems you need to upgrade to at least Windows ME (preferably Windows XP, for our home users) ASAP in order to continue getting regular security updates from Microsoft. NT4 is reaching End-Of-Life too (Workstation support was killed this past July as well, but security-related hotfixes for the Server variants will continue to be provided until the end of 2004). You can view Microsoft's product lifecycle...

In a recent article posted by SANS, the idea is floated of moving the security perimeter out to the ISP in the case of home users. The ISP would by default block commonly-abused ports like tcp/135 by default, thereby acting as a firewall for all their customers. While this idea is not new, I think it will gain some traction this time around. It has become obvious to many of us on the front lines that we cannot rely on home users to secure their own systems. Too much is at stake.

Just because I'm paranoid doesn't mean everyone is NOT out to get me. I have to admit to feeling a bit vindicated in my (even in my mind) crazy theory about cyberterrorism being a major factor in the recent blackout in the Northeast when I read this story from Reuters about the ongoing House investigation into the incident. Of particular interest was the transcript of the First Energy NOC operators as the problem began. Several hours prior to the blackout, a First Energy operator is heard telling an operator at another facility: "Our computer is giving us fits, too. We don't even...

As I reported previously, the Java Anonymous Proxy (JAP) had been secretly backdoored by a German court order requested by the German equivalent of the FBI. A new court order has suspended the original request, and according to JAP the backdoor has been disabled after recording a single log entry. That's nice, but the genie is already out of the bottle. Now that we know it's possible for government agencies to request secret backdoors of this sort, nobody will trust anonymizers ever again.

While automatic patching has been a feature of the Microsoft platforms since Win2k, nobody in an enterprise environment ever uses it. Why is that? I'll tell you: Half-Baked Patches: More than once, patches are pushed out so quickly they are not properly tested. This makes IT guys very nervous. Take for instance MS03-010, which broke a lot of ASP web sites once it was applied. How about MS03-007? And I have to take my shoes off to count the number of patches that have broken various Terminal Server implementations.Unnecessary patches: Any decent admin does not surf from the console of his...

According to this article on SecurityFocus, the US government is paying the anonymity site Anonymizer to maintain a special site for Iranians to subvert their government's censorship of the Internet. Yes, that's right folks. The US government is denouncing censorship globally, while trying to force it onto its own citizens at every possible opportunity. Bizarre is the only word I can come up with to adequately describe this debacle.

This was released in late July. Worth a gander. Get It!

(Repost due to previously mentioned operator error):Yeah, I know I said I'd give it a rest for a few days, but READ THIS! Apparently the nuclear power plant had a T1 line to the Internet that was bypassing the firewalls (because firewalls get in the way, you know). The result: The systems monitoring the most critical aspects of the plant (core temperature, etc) were disabled for nearly 5 hours. On a side note, this plant is operated by the fine folks at FirstEnergy, who are now the focus of the investigation into the recent blackout in the Northeast. If anyone needs me,...

Paul over at E2kSecurity.com posted about the *really* big security story that was drowned out by Blaster. The fact that the primary distribution center for the FSF was compromised by a hacker who had full root access to it for up to 6 months. Now consider that this distribution site is where everyone gets Linux drops from. Even the mirrors ultimately get their bits from this site. A hacker may have implanted trojaned code on the site and had it included in nearly every distribution of Linux built over the past 6 months. For example, the gcc compiler, which is...

This is HUGE. The Register is currently running a story about popular anonymity site Java Anonymous Proxy (JAP) being secretly back-doored by a German court order (JAP is located within Germany). Apparently, a few weeks ago, JAP suddenly went dark. The site said they were upgrading server hardware, and would be back in a few days. They also said that once service was restored, a new version of the JAP client would be required in order to continue using the service. What they failed to tell the consumers, is that the new client was trojaned (by JAP), and contained a secret function...

On Thursday the 21st, Microsoft will be doing a webcast entitled What Network Administrators Should Know About The Blaster Worm. So if you've been cowering under your desk the past week, waiting for some direction from Microsoft on what to do with all your infected systems, you should attend it. And then fire yourself.

In a bizarre twist, one of the newest variants of MSBLAST (and there have been at least a dozen variants found in the wild so far) reportedly uses the same RPC hole to instruct the target system to download the MS03-026 patch from Microsoft. In effect, it's a worm that whacks itself. Spiffy. Update: I know of at least one network that is running dog-slow as a result of the new benevolent worm (dubbed Nachi), while it tries to seek out infected hosts on the same network. The IT guys are not as enthralled with Nachi as I am, I'm thinking.

As I (and others) predicted, a new variation of the MSBLAST worm has been found in the wild. According to Kaspersky Labs, the new variant is mostly a copycat of the original, merely renaming the worm executable to "teekids.exe" (as opposed to "msblast.exe"). How disappointing. I was hoping for something a little more imaginative from our black-hatted friends than simply renaming the executable. I have faith though, it's coming. Wait until it's modified to use the RPC attack vector that MS03-026 doesn't address... It's only a matter of time.

I went and dug up some additional information about the unmitigated attack vector that remains on Win2k after applying MS03-026. CERT has an advisory HERE that gives a brief overview of the problem. Proof-of-concept code from the Chinese group X-Focus is linked within that advisory (which obviously means this exploit is currently in the wild). As the CERT advisory states, there is no known patch for this problem, you MUST exercise due diligence on your perimeter (both in AND out).

It's been a long day. I had performed scheduled maintenance on my servers in the Lab 2 weeks ago to install the RPC patch (and a couple others), but invariably a system gets left off the list. I had 3 systems that for various reasons remained vulnerable to Blaster once it made it past my perimeter (thanks infected laptop users!). But our IDS systems had those machines flagged by the time I got into work this morning, and we got them patched up. One of the systems was reinstalled without the developer telling me, and they did not bother with...

As of 20 minutes ago, a brand new worm exploiting the recent DCOM vulnerability in all versions of Windows (except ME) broke out and is slamming the Internet pretty hard right now. Unfortunately, MS' patch doesn't actually resolve the exploit on Win2k (contrary to what the Technet article claims), and no word on when they will have it fixed. In the meantime, block outbound requests for udp/69 (tftp) at your perimeter, which should prevent any machines susceptible to this exploit from fetching the worm code and executing it. Update: News.Com has picked up the story. This has the potential to be bigger...

Remember I recently posted about the willies I get when I ponder the thought of electronic voting. Well, it seems that my case of the willies is spreading to others, and now some local governments are having second thoughts about this whole electronic voting concept. The Washington Post ran an article today about the growing concern over the Diebold voting systems, and their reported vulnerabilities. Seems North Dakota is holding off on their e-voting system indefinitely, in light of the recent flurry of security concerns. However, many counties and municipalities are going right ahead with their plans. Hmm, 193 candidates for governor...

One of my favorite sites, SecurityFocus, today published part 2 of a two-part column on blogs, and their relevance in the security realm. While I was not enthralled enough by Part 1 to make mention of it when it was published, Part 2 is quite informative. It lists a good number of security-minded sites, both corporate and individual. Some of them you might already recognize as an established member of my security link list on the left, but there are some new sites that are worth noting:www.djeaux.com's RSS feed of 15 popular security mailing listsMicrosoft RSS Feeds Also make note of the...

C|Net's News.Com is again reporting on the IPv4 crisis that isn't. In the article, experts claim that the US doesn't care about IPv6 right now because the "US alotment" is sufficient to carry us well into the next decade. However, again according to the article, the rest of the world is screwed because their individual alotments are all running out. Could it be that the US isn't paniced over the situation because those in the know recognize that this IPv4 crisis is a complete fabrication (as the very same News.Com reported just last month)? Once you consider that this whole "geographical...

According the British research agency Mi2g, for the second quarter of 2003 successful Linux hacks exceeded successful Windows hacks for the first time since they have been keeping score (since 1995). For the 3-month period of March-May, Linux was attacked successfully 19,208 times, compared to 3801 successful Windows attacks during the same time period. If you want to read the full report, you will have to buy it from Mi2g. However, The Inquirer ran a related story, as did Geek.com. Mi2g blames the problem on the misconception that Linux is secure "out of the box", which in most cases is simply untrue....

The security world is all "abuzz" today about yesterday's announcement from a team of Swiss researchers that they have come up with a way to exploit a 9-year-old Windows password exploit 7 times faster (14 seconds instead of 101 seconds...yay?) than existing tools. The Swiss must be bored as hell. Sadly, most news portals are treating this like some new critical vulnerability in Windows, and the *nix crowd is in its usual feeding frenzy. How about some facts? In order to crack the passwords, you have to somehow obtain a copy of the LanMan (LM) hashes, which (if they exist at all)...

Lance Spitzner (used to drive a tank, personal hero of mine, yada yada) today published a paper on SecurityFocus that deals with the concept of HoneyTokens. The term "HoneyToken" may not be familiar to you, but the concept has been around for quite some time. Hospitals often plant bogus records (John F. Kennedy!) in patient databases to see who might be snooping around and violating patient confidentiality. That is a prime example of what is now being defined as "HoneyTokens". By the very nature of the record, ANY attempt to access it is by default unauthorized. The same concept can...

Microsoft today released a technology preview of the 2.0 version of the Web Services Enhancements (WSE) package. WSE adds a number of important features to web services, primarily security-related. If you write web services, you should definitely keep up on this stuff.

An interesting thread developed over the weekend on BugTraq about a flaw in IE (all the way up through version 6 SP1) revolving around the exploitability of "chromeless" windows. Chromeless windows are screen objects that do not have the normal borders and other controls attached to them. As such, they can easily be placed anywhere on the screen, and (here is the problem) be made to obscure or even change important messages from the system. I present, for your consideration, the following web site (it is not malicious, but you must wait for the ActiveX control to finish loading): Exploit Demo. If...

One of the most respected white-hats is hanging up his six-shooter and riding into the sunset, according to this eWeek article.Rain Forest Puppy, or rfp for short, was one of the most creative hackers (in the good sense of the word) the security industry has ever been blessed with. He pioneered guidelines for responsible disclosure. Some of the earliest flaws in IIS were a direct result of rfp's dogged (pardon the pun) and creative approach to trying things that had never been tried. rfp also wrote and freely distributed tools that would detect these vulnerabilities, including the ubiquitous Whisker (while...

There is a huge flaw in the HTML Converter that allows remote code execution across all Windows desktop and server platforms. Details are here, but the KB article (Q823559) has not yet been released. However, you can follow that link to the patches, which are now available. This is a doozy.

My initial RSS subscriptions include a couple gems relating to Microsoft: http://www.thundermain.com/rss This feed tracks changes to the Microsoft Downloads site http://msdn.microsoft.com/aboutmsdn/rss.asp This link lists a number of feeds on the MSDN site that you can subscribe to, including one focused on security Thanks go to Susan Bradley via NTBugTraq for pointing these out. Enjoy!

Lance Spitzner (personal hero, drives a tank? Do I really need to go over that EVERY time??) recently posted a link to a paper written by Georgia Tech about how they have used honeypots to detect malicious activity on their 30,000+ node network. The honeypots were able to detect activity that had snuck past other IDS countermeasures, and were very effective in detecting systems that had been compromised. It's an interesting read.

WebTalkGuys recently did an interview with one of my personal role models in the security realm, Lance Spitzner. Lance is a senior security architect at SUN Microsystems, a founder of the non-profit Honeynet Project, author of a fantastic book on honeypots, co-author of a fantastic book on honeynets, and can drive an M1A1 Abrams tank. I'm just glad he's on our side!

Thanks Steve for pointing out a new Windows 2000 Hardening Guide on TechNet. Great stuff indeed.

CNET's News.Com is reporting on today's speech by Microsoft's Chief Security Architect Scott Charney at TechEd. The article reports that the former Justice Department cybercrime chief wants to pare down the patch deployment methods from the current 8(!) to 2 by the end of the year, with a target of 1 by the time Longhorn arrives in 2005-ish. As someone who has to apply patches to upwards of 30 servers weekly, I applaud this effort. Hopefully they come through. On a related note, Microsoft also launched 2 new security-focused certification extensions available to the MCSE and MCSA crowds. Too bad home users...

I'm on the verge of a rant here about the furor over the first security patch affecting Windows 2003. Some sites are calling it "embarrassing", which, in this blogger's opinion, borders on irresponsible journalism. Guess what. Patches are a good thing, ok? I remember a time when it was Microsoft's goal to put out a Service Pack *quarterly*. But they took so much flak in the press for updating "an obviously flawed" product that we're reduced to this individual patching nightmare that we have to put up with today. <sarcasm>Thanks, much better!</sarcasm> Criticizing MS for putting out patches is assinine....

The Organization for Internet Safety (OIS), of which Microsoft, Caldera, and a bunch of security heavy hitters are members, have just submitted a new proposal suggesting a different approach to disclosure. The disclosure debate has raged (and raged, and raged!) for years now, and is always one of the hottest topics in the security community. OIS is actively soliciting feedback from the security community on the draft of their proposal to delay the disclosure of proof-of-concept code until the affected customers have had a chance to schedule downtime and apply the appropriate patches.

Welcome to the party boys! Sorry, the beer ran out 2 years ago. It's about time the gubment start taking seriously what whitehats have been shouting from every available rooftop: Cybercrime/CyberTerrorism is a real threat to the security of this nation, and the private sector can't stave it off alone. Conducting acts of cybercrime isn't nearly as hard as hijacking 4 aircraft and flying them into a building. You don't need to recruit some extremist wacko who is willing to strap a bomb to his chest and die for the cause. Al Qaeda has already proven it has the skills...

There has been a rather heated debate in the community lately about the new(?) security-focused supplemental certifications that Microsoft recently announced for existing MCSEs and MCSAs. On one hand, some folks are saying security-focused training should be an integral part of the MCSE track already, instead of merely an optional enhancement. Alan Paller, the Director of Research for the highly respected SANS Institute, and a long-time critic of Microsoft's certification programs, points out that the additional security training sessions have been available for years (in some cases), and are just not a very popular choice among MCSE students. It's an...

Steve linked to a really cool security news site called HackinTheBox.org. Instead of making blog entries for each of the interesting articles, which could take up the rest of the night, I'll just suggest that you go there and start reading. I could spend all night at a site like that. Great stuff. I'll have to do some further research on their link list too. I have a sudden craving for Jack In The Box. Gotta run.

Security Focus reports on the impact of recent large-scale worms on the Internet infrastructure in this article. As many of us in the security realm realize, the routing protocols being most widely used on the Internet are fragile as hell, and represent (in my humble opinion), the "Achilles' Heel" of the Internet. Government Computer News is reporting a new type of trojan horse recently found in the wild. CERT has not confirmed the report at this time. I'd like to send a big shout-out to @Stake who demonstrated what Responsible Disclosure is all about when they worked with Nokia to...

I know some of you grow tired of me preaching the evils of the home user, and how their always-on high-bandwidth systems are all-too-commonly recruited into botnets and used for evil purposes by Wile E Hacker. But I'm not making this stuff up! I give you Exhibit A: A study conducted recently by AOL and the National Cyber Security Alliance that says 86% of broadband users think they are sufficiently protected from black hats, yet only 11%(!!!!!) actually had adequately secured systems. Millions of poorly-secured systems, with big fat pipes to the Internet, just ripe for the picking. It's no...

Hardly a week passes where someone doesn't ask the security community if Honeypots are legal, or if they constitute entrapment. Lance Spitzner (Personal hero of mine? Drove a tank? Yeah, that guy) posted an article on Security Focus about the legality of Honeypots. Helping Lance on this paper was Richard Salgado, who works at the DoJ and is a frequent contributor on the Honeypots Mailing List, as well as Jennifer Grannick, Director of Stanford Center for Internet and Society. It's a good read.

I swear the people doing security research at Gartner are completely clueless, and are starting to cause serious damage to corporate security efforts by publishing poorly researched recommendations like the one they put out yesterday. The article actually recommends that corporations devote all the money they would have spent on Intrusion Detection Systems (IDS) to firewall products instead. As if the two were competitive technologies. News flash for you idiots: IDS is an auditing tool more than anything else, and it works in conjunction with a firewall infrastructure. It validates your firewall policy, and shows you what is getting past...

Forgive me for not being encouraged by former presidential Internet security advisor (and now eBay's head security czar) when he goes on record saying (and I quote) "Soon we'll see a zero-day exploit". Uhh, where the hell have you been, pal? It should be common knowledge that black hats are often using expoits in the wild well before white hats have discovered them. In fact, a good percentage of zero-day exploits are discovered by honeypots and IDS systems as they are executed against target networks. eBay is so screwed.

We'll get the rare opportunity to talk to Mike Nash, VP of Microsoft's Security Business Unit. The chat will be on June 16th, at 17:00 GMT. You can go HERE for more information, and to log into the chat room. Now why do I have to read a 12-page legal agreement just to log into a chat anyway? Sheesh. I think I'll just wait for the transcript.

I admit it. I'm a fan of Zone Alarm. It has consistently earned top honors in the personal firewall class. With version 4, Zone Alarm now adds email scanning abilities (inbound and outbound), a popup blocker, and IDS-like reporting capabilities. They have also enhanced the granularity of the firewall controls, allowing geeks like me to fine tune the protection. Best 50 bucks you can ever spend for your computer, especially if you don't have a real firewall sitting between you and your internet connection. If you can't spare the 50 bones for the Pro version, at least grab the free...

Seems I wasn't the only one who thought Gartner's recent analysis of the state of IDS was complete bunk. Gary Golomb, an engineer at Enterasys (an IDS developer, mind you), and a frequent contributor in the IDS community, has posted a reply to the report on the SecurityFocus IDS mailing list, debunking the research (and I use that term loosely) the Gartner author cites in his original report. Gartner is losing credibility with each new report they are putting out lately.

I saw this gem while perusing HackInTheBox at home last night, but my BAC at the time left me with only the ability to type "ARE YOU F***ING KIDDING ME?!?!" over and over again, and I just don't think that's good blogging. Basically, this tard senator from (*gasp!*) Utah, thinks it would be a great idea to allow copyright holders to remotely destroy the computer systems of suspected thieves. Then he astutely points out that they'd need to draft an exemption of current hacking laws to ensure it was all nice and legal. What can you expect from a state...

I was wondering when someone was going to start looking at the security capabilities of Bluetooth. Sure, the range is short (2 meters roughly), but how long of a range do you need on a crowded subway? The fine folks at @Stake have released the first known tool specifically targetting Bluetooth. Dubbed "RedFang", the tool is merely a brute-force method of discovering non-broadcasting BT devices. In most cases, the fact that the device is not broadcasting its address is the sole security enabled from the factory, and with RedFang, you can blow right past that. Take for example, the Compaq...

Anil John over @Cyberforge compiled a very handy list of the various Security Centers over on TechNet. I'm glad Microsoft is putting such effort into training engineers how to effectively secure their products and how to write safer code. It seems daily now I read about some new bit of content on TechNet or MSDN that is focusing on how to write secure code and how to make Microsoft products secure. Thanks Anil!

Anil John is shutting down @CyberForge, one of my favorite security-related blogs. Sorry to see you go Anil, hopefully it's for all the right reasons.

Thanks LinuxSecurity.com for pointing out an upcoming webcast on Wednesday regarding Honeynets. Lance Spitzner (personal hero of mine, drove a tank, blah blah blah) will be speaking on the top 3 advances in honeynet technology. Some other guy is talking after Lance, but he didn't used to drive a tank, so I'm just not interested. The webcast is hosted by SANS and can be accessed by clicking here.