Security musings (reflectorium)

Malware analysis

2010-06-02T00:35:00.000-07:00

Very nice article
links to
wepawet
malzilla
jsunpack

Overcoming problems in BT4 with apt-get install scapy2

2010-02-26T05:40:00.000-08:00

#cd /var/cache/apt/archives/
#dpkg --force-all -i libssh2_1.2.2-bt0_all.deb
#dpkg --force-all -i scapy2_2.1-bt1_all.deb
(as root)

Web Security Dojo v1.0 release

2010-02-25T23:13:00.000-08:00

http://www.webappsec.org/lists/websecurity/archive/2010-02/msg00069.html

"For a quick start grab the VM from http://dojo.mavensecurity.com and
read the included Readme file and/or watch the intro video at
http://www.youtube.com/watch?v=lum6bSsyJ38."

tweets du jour

2010-02-24T23:55:00.000-08:00

dragosr
Hak5 has DHCP exhaustion and DNS MITM via metasploit module vid http://bit.ly/dpRr9b (>HDMoore)

TEDchris
Here's what Sergey Brin told me at #TED about Google's cyber-attack in China and "Don't Be Evil" http://on.ted.com/8A6D

dragosr
good sans passthehash toolkit comparison paper http://bit.ly/cAlhmq

SED one liners

2010-01-07T12:55:00.001-08:00

Analysis of Java Exploit kit

2010-01-06T01:28:00.000-08:00

Yersinia overview

2009-11-24T08:18:00.000-08:00

Monitor sidewiki entries on whole domains

2009-11-24T08:13:00.001-08:00

Google Chart API

2009-09-11T04:12:00.001-07:00

Modern approaches to data viz

2009-09-11T02:41:00.001-07:00

Visualising IP Geolocation in HILBERT space

2009-09-09T23:51:00.001-07:00

Free geo database of all IP addresses

2009-09-09T23:50:00.001-07:00

Building Security In Maturity Model

2009-03-09T07:27:00.000-07:00

http://bsi-mm.com/

http://dnsbl.abuse.ch/

2008-10-20T11:16:00.001-07:00

2008-10-17T13:17:00.001-07:00

Breakpoint Clickjacking Speculations

2008-09-26T02:26:00.000-07:00

http://www.breakingpointsystems.com/community/blog/clickjacking

and of course
http://blogs.zdnet.com/security/?p=1973

Links of the day

2008-09-18T00:10:00.000-07:00

http://www.sensepost.com/research/squeeza/
http://www.sensepost.com/research/reDuh/
http://carnal0wnage.blogspot.com/2008/09/passing-hash-with-gsecdump-and-msvctl.html
http://carnal0wnage.blogspot.com/2008/08/owning-client-without-and-exploit.html

WASS statistics

2008-09-08T23:12:00.000-07:00

WASS Weba Application Security Statistics 2007 gives some really nice insights, e.g. % of type of vulnerabilty on average site *and* how likely they are detected by automated scans vs. penetration testing. Automated scans are good at finding low and medium ones. Penetration test are good at finding high findings.
http://packetstormsecurity.org/papers/general/wasc_wass_2007.pdf

local links

2008-02-26T05:07:00.000-08:00

file://c:

Wireless Auditing Live CD

2007-12-18T23:09:00.000-08:00

Russix

Automated web testing

2007-11-29T12:18:00.000-08:00

http://wwwsearch.sourceforge.net/bits/GeneralFAQ.html

http://www.opensourcetesting.org/functional.php

http://pamie.sourceforge.net/

http://search.cpan.org/~prashant/Win32-IEAutomation-0.5/lib/Win32/IEAutomation.pm

http://search.cpan.org/dist/WWW-Mechanize/lib/WWW/Mechanize/Examples.pod

Automated web testing

2007-11-29T12:11:00.000-08:00

Selenium
http://www.openqa.org/selenium-rc/tutorial.html

http://www.trustedsource.org/

2007-11-28T02:18:00.000-08:00

When laptop is unlocked..

2007-11-14T08:34:00.000-08:00

download and wallpaper. ;-)

Unicode Reverse Character .. for the fun of it..

2007-10-23T06:27:00.000-07:00

The mirroring character is within the braces

(‮‮(

Just copy it somewhere

Testing and exploiting flash

2007-10-20T07:23:00.000-07:00

Interesting XSS site

2007-10-09T00:47:00.000-07:00

http://www.xssed.com/
- Interesting site on cross-site scripting.

Wikiscanner

2007-08-15T01:50:00.001-07:00

Nice tool that matches IP addresses, etc. to Wikipedia edits

Dan K on Youtube

2007-08-15T00:46:00.000-07:00

or rather.. Dan K's own Youtube movies..
=)
http://www.youtube.com/user/effugas

XSS tunneling

2007-07-11T01:17:00.002-07:00

XSS Tunneling Paper:
http://www.portcullis-security.com/uplds/whitepapers/XSSTunnelling.pdf

XSS Shell, XSS Tunnel Binary Releases and Source Code:
http://www.portcullis-security.com/16.php

SQL Cheat sheet

2007-07-11T01:17:00.001-07:00

Top 15 free SQL injection scanners

2007-05-23T22:13:00.000-07:00

Some eyecandy..

2007-05-15T13:51:00.000-07:00

Wfuzz

2007-05-07T22:56:00.001-07:00

A web application fuzzer with dictionnaries.
http://www.edge-security.com/wfuzz.php

Secret behind Canadian Spy Coins revealed

2007-05-07T22:49:00.000-07:00

.. just multicolor standard coins.. just too unfamiliar too US military contractors.. (Weia!)

SQL injection sheet

2007-03-22T03:29:00.001-07:00

Top 10 Web Hacks 2006

2006-12-18T01:14:00.000-08:00

Backdooring image files

2006-12-15T01:07:00.000-08:00

The mirroring character in Unicode (which is & #8238;& #8238; without the blanks)

2006-12-12T23:04:00.000-08:00

‮‮ Interesting blog entry on the Unicode mirroring character..
http://digitalpbk.blogspot.com/2006/11/fun-with-unicode-and-mirroring.html

http://www.reflectorium.de/?/moc.elgoog.www//:ptth
of course is misleading..

Earthquake Information Europe

2006-12-08T10:52:00.000-08:00

Really good website

Javascript attackapi

2006-09-18T06:06:00.000-07:00

http://www.gnucitizen.org/projects/attackapi/

Spyware and Malware

2006-08-09T01:29:00.000-07:00

These web sites seem to have some repositories and tools to that end:

http://www.mwcollect.org/
http://www.offensivecomputing.net/

Coldfusion Security Checklist

2006-06-20T04:29:00.000-07:00

http://ray.camdenfamily.com/coldfusionsecuritychecklist.cfm

Jerry A. Taylor of Tuttle, OK

2006-03-30T13:03:00.000-08:00

Thanks to TheRegister probably all know what "pulling a Tuttle" means by now.
See:

As a result, a few folks probably started to wonder what 22 years experience in IT really means nowadays. (As Mr. Taylor was still unable to tell a standard default install page..)

This article in the Tuttletimes (courtesy of Google's cache) gives some details that might explain some of the background:

Mr. Taylor worked 22 years with E Systems as a program manager. The majority of the time on a classified government program.
He has also had his own computer business and worked for the Choctaw Electric Cooperative as their internet technologies manager.
It appears that Mr. Taylor had originally great plans for the city website when he started his job:
a user-friendly automated system, information about city officials, agenda and minutes of meetings, a place to read ordinances, bill payments and building permit applications.
- Which probably means that there's still a lot of work waiting for him, considering the current state of http://www.tuttle-ok.gov/
He had already build the city of Harrah’s website before at http://www.harrah.net/. Currently it gives you a one-word-page.
Fortunately, it has been archived for posterity at archive.org:
http://web.archive.org/web/*/http://www.harrah.net/
(Also see this)

So all in all, it seems that he should have had all the skills. (Of course, you never know what classified programms are all about.) - Something must have stopped him from reaching the goals that he had laid out for himself.

EFF warning on new Google Desktop Search

2006-02-12T23:17:00.000-08:00

It stores your files on the Google servers if "search across computers" is enabled. - Which of course is a major item of concern..
http://www.eff.org/news/archives/2006_02.php#004400

Bruce Schneier and RFID passports (again)

2006-01-23T23:00:00.000-08:00

A not so great piece by Schneier on RFID-enabled passports.
- Surprise: There are several sorts and ranges for RFIDs (and tricks!).
.. what are the problems that US people have with passports? (mystery)
http://www.schneier.com/blog/archives/2006/01/reading_rfid_ca.html

US customs opening international mail (routinely?)

2006-01-23T22:56:00.000-08:00

Bruce Schneier links to a Reuter article on US customes opening international snail mail. Legally.
http://www.schneier.com/blog/archives/2006/01/us_customs_open.html

Johnny Long published book on Google hacking

2005-07-26T11:53:00.000-07:00

Review at Slashdot (danke Timo!)

The DoD Information Assurance Portal

2005-06-10T01:38:00.000-07:00

Guerilla Threat Modelling

2005-06-03T05:30:00.000-07:00

Microsoft's Peter Torr has an excellent article on Threat Modelling (the Microsoft way..)
at right here

Illustrative Security Risks

2005-05-18T03:43:00.000-07:00

Illustrative Risks to the Public in the Use of Computer Systems and Related Technology by Peter G. Neumann
http://www.csl.sri.com/users/neumann/illustrative.html

OpenSSH key management

2005-04-20T04:06:00.000-07:00

http://www-106.ibm.com/developerworks/library/l-keyc.html
http://www-106.ibm.com/developerworks/library/l-keyc2/
http://www-106.ibm.com/developerworks/library/l-keyc3/

Whoppix LiveCD for Penetration Testing

2005-04-13T00:58:00.000-07:00

Based on Knoppix, heavily modded for pen testing
http://www.whoppix.net/

Using honeynets to learn more about Bots

2005-03-14T03:47:00.000-08:00

There's an interesting write-up at http://www.honeynet.org/papers/bots/
- one of my big to-do's once my gear is up and running again.

The Insecure Indexing Vulnerability

2005-03-02T05:02:00.000-08:00

Attacks Against Local Search Engines
interesting paper by Amit Klein on how internal documents could be accessed.

Andreas Bogk comments on SHA-1

2005-03-02T04:39:00.000-08:00

..in German. While I like Bruce Schneier's comments, I think we should also listen to the other folks out there. (as in: just re-quoting cryptogram is a *bad thing*). - Andreas did some very original things in the past.

Send-Safe - a look at a professional spamming tool

2005-03-01T01:54:00.000-08:00

The folks at F-Secure did a fascinating article on "Send Safe", one of the tools used by spammers.
This tool even has builtin support for using infected PCs to send the spam. Very interesting screen shot!
http://www.f-secure.com/weblog/#00000485

Guerilla Threat Modelling

2005-02-23T08:23:00.000-08:00

Peter Torr (of Microsoft) on Threat Modelling again:
Guerilla Threat Modelling

Packetstormsecurity RSS-feeds

2005-02-10T01:47:00.000-08:00

Enterprise Architecture Alignment Heuristics

2005-02-09T04:21:00.000-08:00

High-Level Threat Modelling

2005-02-09T01:13:00.000-08:00

A nice synapsis on how the ideas in the Threat Modelling book by Window Snyder et al. might be put to use in practice. (As in: Hey Microsoft, cool idea - but just how to you do it in real life?)
http://weblogs.asp.net/ptorr/archive/2005/02/08/368881.aspx

Not bad, but ends somewhat early.
- I always thought that other key benefits to do threat modelling are, that you could
a) show the morons that want to introduce insecurity later on in the project, what that will do to them easily and illustratively
b) have a readily available, nice residual risk piece for final sign-off

If you can get around it, people will..

2005-02-09T01:05:00.000-08:00

I found this on Larry Seltzer's blog, who in turn found it on Bruce Schneier's.. :
when physical security just doesn't make sense
The whole picture collection is also quite peculiar. (alas, off-topic)

Microsoft: Mapping International Security Standards to MOF

2005-01-31T01:49:00.000-08:00

About time that Microsoft came out with an other free tangible security management goodie.
"Mapping International Security Standards to MOF" or - maybe more bluntly - How does Microsoft's interpretation of ITIL (called MOF) map to international security standards (such as ISO17799).
By the way, the folks behind ITIL have a most excellent book on "ITIL security management", which happens to cover the ISO17799 mapping. So I wonder how much added-value Microsoft brings here. (Granted the ITIL book is expensive and this goodie is free..)
--
After a really hard glimpse at the Microsoft paper - it's really worth getting the original ITIL security management book.
(The Microsoft paper is somewhat thin, but nevertheless is a nice ISO17799 introduction...)

CopyScape - Web Plagiarism Search Engine

2005-01-31T01:40:00.000-08:00

Towards an Economic Analysis of Disclosure

2005-01-29T16:24:00.000-08:00

A very interesting posting at Adam Shostack's blog (see below). - Also, have a look at the additional papers mentioned in the comments...

Emergent Chaos, blog by Adam Shostack

2005-01-29T16:18:00.000-08:00

http://www.emergentchaos.com/
has some interesting thinking, .. now part of my daily blog diet..

Information Assurance Technical Framework Forum

2005-01-28T07:51:00.000-08:00

"The Information Assurance Technical Framework Forum (IATFF) is a National Security
Agency (NSA) sponsored outreach activity created to foster dialog amongst U.S.
Government agencies, U.S. Industry, and U.S. Academia seeking to provide their
customers solutions for information assurance problems."

They have quite a few documents for download - although, on first glance, not totally cutting edge. (behind what you learnt to expect and love from folks like the NIST...)

http://www.iatf.net/

US: National security concerns over IBM notebook sale to China

2005-01-24T02:34:00.000-08:00

According to this article in German at SpiegelOnline, the CFIUS comitee in the USA is now voicing national security concerns of the sale of the IBM notebook business to a Chinese company. (I've been wondering about the implications of the Trusted Computing chip in the Thinkpads and China...)

FDA guidance

2005-01-21T05:41:00.000-08:00

Defiling - anti-forensics on UNIX

2005-01-20T01:38:00.000-08:00

HERT carries an article on "The Grugq" making a tour this year, talking about anti-forensics in UNIX. (Article also links to a presentation).
http://hert.org/story.php/58

Here's a link to a Phrack article mentioned at link above. (old, 2002)
http://www.phrack.org/phrack/59/p59-0x06.txt

New releases at metasploit

2005-01-17T01:07:00.000-08:00

Locksmith rehash disclosure debate

2005-01-17T01:02:00.000-08:00

Very interesting article on TaoSecurity Blog about a debate on a locksmith newsgroup that was kindled by a paper titled "safecracking for the computer scientist".

Basically some locksmiths there are stuck in a 19th century mind set. - This is scary, to think that some of these folks still believe that selling insecure devices as secure is okay as long as noone tells about the insecurity in them - and we entrust them with real life valuables.. *yuck!*

Link to entry on taosecurity

BITS Kalculator: Key Risk Measurement Tool for Information Security Operational Risks

2005-01-04T08:35:00.000-08:00

From the Bank of International Settlements (BIS):
http://www.bitsinfo.org/wp.html

Defeating web-based content filtering on gateways...

2005-01-04T06:45:00.000-08:00

Rory has some comments on proxies that obfuscate the communication at http://raesene.dnsalias.net/archives/000156.html

(Axel pointed me towards this via http://balrog.de/security/archives/2005/01/04/55_security-is-not-a-product-once-again )

Personally, I think one shouldn't focus on these cgi/php-based proxies too much. Isn't it far easier to use google's "translate that page" functionality? Or Anonymizer and Co?
.. or - to the same end - a trusted SSL-based reverse proxy???

Of course, the cgi/php-based proxies will give you
+ clicks 'n hits on someone's web ads
+ and a nice click/usage history somewhere

Should be ideal for phising too.. (So please beware!)

Notes from the 21C03 conference

2005-01-03T05:14:00.000-08:00

Here are my notes from the 21C03 conference held by the German Chaos Communication Club (CCC) from Dec 27-29 2004 in Berlin.

The official sites of the event are at
http://www.ccc.de/congress/2004/index.en.html
https://21c3.ccc.de/wiki/index.php/Main_Page
http://21c3.ccc.de/weblog/

The CCC promised to make videos of most sessions available on the web. (Should be up in January 2005).

The annual conference had a record participation (around 3,500 participants) and appeared much more professional than earlier events.
The organisators had to choose from around 200 submissions to fill the session tracks. The trick was really which session to choose.

__Things that really struck me__

_Passive covert channels in the Linux kernel_
- Very interesting talk focused on getting covert messages out as part of the Sequence number in packets. The speaker introduced a tool (nushu.c), which hides this communication. This could have various uses e.g. in bot networks and applications that "want to phone home" and hide additional data.
See http://www.invisiblethings.org/

_Bluetooth vulnerabilities_
- There was a full-disclosure presentation (incl. tools) on the bluetooth vulnerabilities mentioned in 2004 by trifinite.
See http://www.trifinite.org/
- This is really bad. This is about reading and manipulating address books from afar. This is also - on some phones - about using someone else's phone to make phone calls and to redirect phones to someone else's phone to yours.
- People need to get their vulnerable phones updated in a shop. (And most people probably won't.)

_Security nightmares_
- SSH will probably be exploited again in a big way in 2005. (Rumours of another upcoming exploit). -> This makes me think that people should start to look at "port knocking" (or restricting access to certain IPs) to add a level of security for internet facing systems, i.e. you can only connect to your SSH server if you come from a pre-defined IP or after you did some magic ping/connection pattern.
- There might be trouble with cars turning into mobile computers ahead. It appears that some car systems use RDS data (via the car radio) as input. There are rumours that the RDS parsers in some car radios might be exploitable.
- People should really, really patch their mobile phones...

_MD5 insecurities_
- there are collisions in MD5. (Which also means that people should start to use other hash algorithms instead)
- a Chinese researcher has released two proof of concept test vectors that cause a collision. (It is unclear how these vectors were found!)
- these two test vectors can already be used to carry out attacks today
- MD5 operates on blocks, i.e. if you find two files that MD5 to the same hash, an arbitrary payload can be applied to both files and they'll still have the same hash.
(These two files could be e.g. the two test vectors above)
- David Kaminsky's tool "stripwire" produces two binary packages. Both contain an arbitrary payload, but the payload is encrypted with AES. Only one of the packages ("Fire") is decryptable and thus dangerous; the other ("Ice") shields its data behind AES. Both files share the same MD5 hash.
- According to doxpara.com: "This is an excellent vector for malicious developers to get unsafe code past a group of auditors, perhaps to acquire a required third party signature. Alternatively, build tools themselves could be compromised to embed safe versions of dangerous payloads in each build. At some later point, the embedded payload could be safely "activated", without the MD5 changing. This has implications for Tripwire, DRM, and several package management architectures.[..] Very interesting possibilities open up once the full attack is made available -- among other things, we can create self-decrypting executables (fire.exe and ice.exe) that exhibit differential behavior based on their internal colliding payloads. They'll still have the same MD5 hash."
- this also allows for covert channels
- there's also a real hole posed by the MD5 variant used in KaZaa
- -> You can read it all at http://www.doxpara.com

_Instant Messaging security holes_
- Apparently there were/are quite a few bugs in IM clients. This is bad as more and more people use them for "serious" communications.
-> http://www.stonedcoder.org/

_DNS_
- nice talk on how one can use the DNS system with its mind-boggling number of servers to tunnel data and store data
- this included a demonstration of SSH via DNS and webradio (caching)
- NTSX old tool
- droute new tool
- also google for "grr", "nomede" and "miname"
- -> or read it all at http://www.doxpara.com

_physical security_
- They explained how "bump keys" (999 keys) work. Apparently this allows you to pick even high-quality locks and advanced locks like the keso.
The speaker gave a good demonstration by breaking a wide range of locks within mere minutes on stage (see below).Basically you cut the key with the deepest set of grooves possible (often by setting the key making machine to "9999.."). This bump key is then inserted and hit with a vibrating little hammer. This causes the bolts in the lock to shake quickly up and down, allowing for brief openings during which the key can be turned.
See http://www.gregandbeth.com/imagegallery/index.php?action=display&imageID=222
The speaker also showed a (rather easy) attack against the Winckhaus Bluekey system. (Breaking a 250 euro lock with a 40 euro magnet).

_SAP security_
- As people want to be "on the safe side", there are often very insecure settings (i.e. chmod 777) on folders
- look for cleartext passwords in scripts
- look for NFS exports

_phishing_
- They showed an interesting technique that redirects the victim to the legitimate web site, but opens a pop-up window on top of that;
the counteraction for the legitimate site owner is to open a pop-up window with the same name as the phisher's pop-up

_code reviews_
- They showed some source code from Cisco, Microsoft and MySQL that didn't look very secure. (Hard to fall asleep).

_automated web site hacking (php worms)_
- apparently quite a few people are interested in writing PHP worms that use Google now.
- look at the tools RATS and nikto to find flaws

_Sun Solaris 10_
- Sun Solaris comes with a tool called "dtrace" that gives you a very deep view into the system. (and can allow you to read out passwords).
- There's a new rootkit called SiNAR.

__Various miscellaneous notes__

Onion routing
e.g. using TOR (http://tor.eff.org/ )

Infrared hacking
look at http://www.lirc.org/ and http://www.irtrans.org/

Personal firewalls on Windows
will always be breakable/insecure because of the low-level inter-process communication possible in Windows

Fravia on searching the web
-> http://www.searchlores.org/

__Next major event in Europe_
"What the hack?" - July 28-31st in the Netherlands.
This it the bi-annual European Summer camp (HIP97, Heart-of-Gold (99), HAL2001, Fairy-Dust (03), now: WTF 05)
http://www.whatthehack.org/

Secureme - a whacky new blog on the block..

2005-01-03T01:45:00.000-08:00

I really enjoy this..
http://secureme.blogspot.com/

OSSTMM - Open Source Security Testing Methodology Manual

2005-01-03T01:40:00.000-08:00

Almost on the same topic:
ISECOM is working on the "OSSTMM - Open Source Security Testing Methodology Manual".

- A somewhat mixed bag of recipies. Good reading, gives insights. But sometimes I think its labelling goes a bit over the top.

OISSG releases Information System Security Assessment Framework (ISSAF)

2005-01-03T01:35:00.000-08:00

The OISSG is working on a Information System Security Assessment Framework (ISSAF).
A draft version of this framework is available at the OISSG website at:
http://oissg.org/issaf01/issaf0.1.zip (5.59 MB) or http://oissg.org/issaf01/issaf0.1.pdf (12.6 MB)

- I had no chance to read it so far. YMMV

Off topic: Eminem's Mosh (call to vote, not-Bush)

2004-10-29T10:08:00.000-07:00

Eminem's Mosh - clearly, he doesn't like Bush. =)
Loosely related weapons of mass destruction

Competitive Hacking

2004-10-29T08:22:00.000-07:00

Getloaded vs. Truckstop - tale of one company scraping data of another company's business portal site.
Mostly by posing as a subscriber or re-using (userID, passwords) pair.
http://www.theregister.co.uk/2004/10/26/competitive_hacking/

Sardonix - source code auditing

2004-10-27T07:41:00.000-07:00

Good site, good links, good stuff: http://sardonix.org/Auditing_Resources.html
And Crispin Cowan is involved in it.

Criminals making money off DDoS threats

2004-10-27T07:38:00.000-07:00

This article gives some detail on the actual extortions going on. Internet casinos and bookies are threatened by criminals operating bot nets. It also gives some idea on the money involved - and it has suspense, heros and a good ending,

The World Bank Technology Risk Checklist

2004-10-25T14:23:00.000-07:00

For what it's worth. From a cissp-forum posting by Gideon T. Rasmussen:

"The World Bank Technology Risk Checklist is designed to provide Chief
Information Security Officers (CISO), Chief Technology
Officers (CTO), Chief Financial Officers (CFO), Directors, Risk Managers
and Systems Administrators with a way of measuring and validating the
level of security within a particular organization."

http://www.infragard.net/library/pdfs/technologyrisklist.pdf (31 pages)

Linkedin - a social network service

2004-10-25T10:55:00.000-07:00

Today I discovered Linkedin ( http://www.linkedin.com/ ). Similar to OpenBC, Orkut and Friendster it gives you a platform to network. - While I'm still convinced that it takes beer, wine or hardship to really get to know people, I think it's a good service to get to that point.
(- Has anyone a free Orkut invite? =) )

Directory of Open Access Journals

2004-10-20T01:22:00.000-07:00

FG SecMgt in the Gesellschaft für Informatik e.V.

2004-10-18T01:28:00.000-07:00

I'm a member of the FG SecMgt in the FB Sicherheit of the German "Gesellschaft für Informatik e.V.". If your German is good, it's a good place to meet peers and enjoy fruitful discussions. The web site has also some good presentations from past events... (meets 2-3 times a year, low volume mailing list)
http://www.gi-fb-sicherheit.de/fg/secmgt/index.html

Unicornscan

2004-10-11T09:49:00.000-07:00

Bassajew and costs of terror attacks

2004-09-19T02:59:00.000-07:00

I heard on the car radio the other day that Bassajew gave numbers on how much the recent terror attacks in Russia and Beslan did cost him. I remember something like 9,600 USD for the Beslan terror attack (in which terrorists took pupils, teachers and parents hostage) and something like 7,000 USD and 4,000 USD for the suicide bombing in Moscow and the bombings of two Russian passenger planes.
Here are some links:

Nur allzuwahr.. IT-Sicherheitsbeauftragter im c't Kartoon..

2004-09-19T02:10:00.000-07:00

in German ;-) http://www.heise.de/ct/schlagseite/04/20/

M$ Windows XP Professional Bugging Device?

2004-09-18T23:57:00.000-07:00

Cccure has a list of 47 spots in Microsoft XP Professional that the anonymous author of that document thinks are cases of possible concern. (PARANOIA! on/off) - or maybe I'd say are "paranoia entry points"?
http://www.cccure.org/modules.php?name=News&file=article&sid=591
- While I think that most of them are quite irrelevant, it's probably not bad to adjust/verify personal paranoia levels on a Sunday morning..

(in Germany:) The legal obligations and the responsibilities in case

2004-09-18T09:51:00.000-07:00


From a posting by Bodo Hoffmann to cissp-ffm:

(in German)

http://www.surfcontrol.com/general/guides/SurfControl_RechtlicherLeitfaden.pdf

A visual history of spam (and virus) email

2004-09-17T01:27:00.000-07:00

..from the blog of Raymond Chen (who has kept every single piece of spam and virus email since mid-1997).

German IT agency sets record straight on IE

2004-09-16T23:49:00.000-07:00

There has been some noise after the German Information Security Agency (BSI) apparently hinted that using a non-Microsoft web browser might give you less security headaches. NetworkFusion is covering the current state (and some clarifications by the BSI) in an article called "German IT agency sets record straight on IE".
- As you could expect, the BSI is choosing some less harsh language.
The most interesting quote from it is: "Microsoft has responded to the developments by offering discounts to the country's vast public sector and agreeing to provide special assistance with software security."
Now - if I were the IT security agency chief of any country, wouldn't I just copy&paste the original BSI statements?? (and gain a hefty discount plus MS security consultancy package for my people??)

Minimization of network services on Windows systems

2004-09-16T13:33:00.000-07:00

Very interesting reading. - I found it at the TAO security blog , that also has a nice summary.

The CISSP secret hand shake

2004-09-16T01:20:00.000-07:00

For all who have wondered - there is indeed a secret handshake to recognize fellow CISSPs.
From a post by Mark Lachniet to cissp-forum (a high profile, highly professional closed list):
"It's just like the gangster handshake
- fist (above),
fist (below),
fist horizontal.
Then you say "wondertwin powers activate - shape of a risk assessment methodology" and "shape of a properly configured and managed IDS system"

From personal experience, you are supposed to order beers right after saying this...

"Gmail-is-too-creepy"

2004-09-15T08:20:00.000-07:00

http://gmail-is-too-creepy.com/
for what it's worth. I haven't checked the allegations made at the link above, so take them with a grain of salt.
Also, http://www.gmx.de/ has largely increased it's free webmail quota to 1 GB, see here.
- Gmail is Google's mail service.

TAMU 1999 Bonfire Disaster - a management tale on why proactive risk management matters

2004-09-13T10:14:00.000-07:00

Texas A&M - or "Aggieland" - is a rather well-known US university with a (military-style pre-) "school of cadets". It's home of the George Bush Presidential Library, very close to the Bush's family ranch and a somewhat peculiar place. I spent quite some time in and around campus in '93-'96.
Texas A&M is well-known for its football team, its inherent despise for the Univerity of Texas (at Austin) and the "team spirit" of its students and honored traditions.
Up to 1999 one of the key traditions was the annual Bonfire - which developed into a major three-story construction. - I always had the feeling that more wood was burned in that fire, than was used as paper at that place.

In 1999, the bonfire collapsed killing several people. The university was pressured to launch an in-depth investigation, which came up with quite shocking findings.

See: http://www.tamu.edu/bonfire-commission/reports/

I think this is a really good story that demonstrates just how important a pro-active risk management is.

Some quotes from the final report:
Lack of a written Bonfire design or construction methodology is in the Commission’s view both an important barrier failure and very relevant to the collapse. This deficiency has resulted in multiple design changes year-to-year, no established process for design reviews, and no documentation of critical design factors. This was clearly evidenced in interviews with University officials and students. On numerous occasions, interviewees described a world in which design decisions were made with no written guidance, no formal reviews, and no knowledge of critical design factors.

Breach! Breach! - http://www.ratemynetworkdiagram.com

2004-09-11T01:40:00.000-07:00

This is a strange site: http://www.ratemynetworkdiagram.com/
I wonder just who's putting stuff up there - and what is it for?
- A honeypot for the dim-witted?
Or some dating site for nerds? =)))

DRAFT NIST Special Publication 800-72, Guidelines on PDA Forensics

2004-08-28T09:03:00.000-07:00

Yep, NIST has now a draft guideline for PDA forensics.. =)
http://csrc.nist.gov/publications/drafts.html#sp800-72
- good stuff, although points out the insecurities within Palm OS.. =((

Reverse (SSH) shells

2004-08-28T08:54:00.000-07:00

I know that reverse shells are used by trojans for ages.
http://www.brandonhutchinson.com/ssh_tunnelling.html
has a handy description of this is configured with standard openSSH.
READ: How do I get to log in on machine A from home with SSH, by making A connect to me (rather vice versa).