mynfosec

Regex dos = redos

2009-12-10T10:23:00.001-05:00

OWASP podcast #56 with Jim Manico interviewing Adar Weidman.
Good coverage of interesting aspect of regex parsing that can lead to
DOS at server and browser.
Http://www.owasp.org/index.php/Podcast_56

David Kadow
--

Data Forensics and New State Laws

2009-09-21T21:09:00.004-04:00

According to an interview by Networkperformancedaily, with Matt Miller of the Institute for Justice, "Last year ( 2007 ), the state of Texas passed a law that basically said that to perform a lot of types of data analysis; you have to have a private investigator's license. And, if you perform that analysis without a license, or if you are a customer and you seek to have that analysis performed by somebody without a license, it is punishable by up to one year in jail and up to $14,000 in fines."

ThiSo this is not a new case, but it's important, and it's not over, and you should follow this and similar cases in other states, as it could severely limit your ability to do parts of your job.

As IT professionals, security and related operations have always been part of the job of designing and administering systems, maintaining uptime, and investigating problems.

The summary statements of the laws we discuss here sound sensationalist, and indeed, the devil is in the details. However I'm not going to dissect the related laws from every state. I will review the important aspects, and try to avoid exaggeration. I will also provide POV from the Private Investigator, through interviews.

For now, some good resources are :
http://legal-beagle.typepad.com/wrights_legal_beagle/computer-forensics-license/
http://hack-igations.blogspot.com/2008/12/digital-forensics-private-eye-pi.html
http://www.networkperformancedaily.com/2008/07/interview_with_matt_miller_w_i.html

New SANS and WebSense reports point to where we should focus our defense.

2009-09-17T12:45:00.004-04:00

NY Times picked this up with the headline that "Security Pros Are Focused on the Wrong Threats" ( By Riva Richmond )

Not really alarmist, considering the facts.

SANS:

Summary:
Point 1. PATCH!!!!!! What are you waiting for ?!?!?!?
because
Point 2. 60% of attacks are against legit websites, many of which are open to being sql-injected. This means unpatched users hitting those sites can easily be exploited while doing legitimate browsing. Point 2 was really FIX YOUR WEBSITES!, but the dual message is because so many sites are broken, patch your clients!

Websense:

Highlights:
• Websense Security Labs identified a 233 percent growth in the number of malicious Web sites in the last six months and a 671 percent growth during the last year.
• 77 percent of Web sites with malicious code are legitimate sites that have been compromised. This remains unchanged from the last six-month period.
• 87.7 percent of email messages were spam. This represents a three percent increase over the last six months.
• 37 percent of malicious Web/HTTP attacks included data-stealing code. This remains unchanged from the last six-month period.
• 57 percent of data-stealing attacks are conducted over the Web. This number has stayed consistent over the six-month period.

Online Security Conference - 6->8 Nov 2009

2009-09-10T08:05:00.002-04:00

For those of us whose companies still have limited to no funding for travel and training "investment", this may be a welcome development.

http://securitytubecon.org/cfp.html

Quality will be interesting, with one parameter being "no rejection" of papers and talks.

Cisco Team Infiltrates Botnet.

2009-08-21T09:36:00.002-04:00

A great quote from the story is "Typically, administrators patch vulnerable machines or deploy some sort of intrusion prevention system (IPS) to protect against exploits. Both approaches are effective the majority of the time, but neither approach protects systems against the uneducated user." It's such a polite way of saying something I've heard several times a week since becoming responsible for infosec..."you can't secure 'stupid' ".
In this story, that goes both ways. Read on.

http://www.cisco.com/web/about/security/intelligence/bots.html

Blackhat Papers

2009-08-14T09:06:00.002-04:00

In case you didn't go or didn't know....
http://www.blackhat.com/html/bh-usa-09/bh-usa-09-archives.html

Personal Safety. Personal Responsibility.

2009-08-07T12:00:00.007-04:00

Look, it's BAD out there. Trust me. ( OR start reading any of the material linked here on a regular basis ) Being aware of how to compute securely is no less important than knowing how to drive a car. For that you need to be a certain age and pass a couple exams. It's too bad we can't enforce this for computing yet. But to be truly safe you really need to internalize and live the information you learned in driver's ed. Plus practice quite a bit ( every day for the rest of your life, eh ? ). Otherwise you can get really hurt, and your actions can hurt others.

Computing is very much the same. If you're not operating with certain basic awareness and protections, you will definitely get pwned, and in getting pwned, your system will be used by "the dark side" as part of a botnet to conduct attacks on others. Millions of home systems are "serving two masters" every day.

Do the right things and you can lower your risk.

At Home
1. Sign up for OpenDNS, and configure your home router ( you DO use a router, don't you ?!?!?!? [ Linksys, Netgear, etc...] ) with OpenDNS DNS Servers in place of your ISP's DNS servers.
2. Configure your router and it's clients with AT LEAST WPA2 security.

On the road, or at the coffee shop
1. If you really must join someone else's wireless, first disable all sharing on your laptop and turn on the firewall.
2. DO run some comprehensive endpoint protection ( this is MORE than just anti-virus ). And yes, do this even on a Mac. ( Here's why )

In General, everywhere
1. Patch your systems !!!! Windows, MacOS, Ubuntu...they all need it ! Do it! Daily!
2. Whenever possible browse the web only with Firefox loaded with the essential add-ons NoScript and WOT ( Web of Trust )
This is key because 90% of the way you'll be pwned on the web will be through malicious javascript hidden in legit websites ( and definitely on illegit sites ! Shame on you ! )
3. Be careful links, attachments in email, and all content. Where is it from? Who is it from? Do you really need to open it ?

Do you have other tips ? Add-'em ! C'mon!

The-DCNYC-Hacking-Meetup-Group- 22-July meeting

2009-07-21T21:49:00.000-04:00

The-DCNYC-Hacking-Meetup-Group-announce@meetup.com

( from Marco ) Hi All,

This Wednesday (tomorrow) we have a great meetup with 2 powerful presentations, The first is Scapy... If you use nmap, hping, tcpdump, wireshark, tracert, icmp or any of your favorite tools chances are Scapy can replace it. Why learn so many tools and there flags when you can just use Scapy. We are also having R3L1k the creator of Fast Track he will give a small presentation and a demo. We also have alot of giveaways, anyone who RSVP's receives a free domain name and we will be raffling away alot of goodies like last month.

myinfo sources

2009-07-21T14:16:00.005-04:00

These are the sites I check out frequently. It's a ton, so I'm moving more to pulling all of these that have rss into google reader. But the original sites are always a richer experience anyway, so listing them here. Bill Blunden has a great listing at belowgotham, organized by subject. I'll get around to doing that here. For now though.....

Risk

http://www.NIST.org/news.php
http://www.riskinfo.com/

Security

site

http://blogs.vmware.com/security/ ( VMware )

http://carnal0wnage.attackresearch.com/ ( Chris Gates )

http://lists.immunitysec.com/pipermail/dailydave/ ( "Daily Dave" by Dave Aitel )

http://datalossdb.org/

http://episteme.ca/ ( Mike Murray )

http://feeds.feedburner.com/techtarget/Searchsecurity/SecurityWire

http://googleonlinesecurity.blogspot.com/

http://ha.ckers.org/blog/ ( Robert 'rsnake' Hanson blog )

http://isc.sans.org/

http://metasploit.com/home/

http://packetstormsecurity.org/ ( propecia tool is here )

http://searchsecurity.techtarget.com

http://secunia.com/advisories/historic/

http://skeptikal.org/index.php ( mckt blog )

http://t-rob.net/wmq/ T.Robert Wyatt's MQ-Security Blog

http://taosecurity.blogspot.com/ (Richard Bejtlich )

http://thedigitalstandard.blogspot.com/ Chris Pogue ( co-Author w/Harlan Carvey )

http://vrt-sourcefire.blogspot.com/

http://windowsir.blogspot.com/ Windows Forensics

http://www.2600.com/

http://www.attackresearch.com/ (ValSmith )

http://www.cisco.com/en/US/products/products_security_advisories_listing.html

http://www.darknet.org.uk/

http://www.doxpara.com/ ( kaminsky's site )

http://www.exoticliability.com/

http://www.grc.com/securitynow.htm

http://www.matasano.com/log/

http://www.microsoft.com/technet/security/default.mspx

http://www.pauldotcom.com/ ( Paul Asadoorian )

http://www.rationalsurvivability.com/blog/ ( Chris Hoff's rants on Security. Good focus on Cloud Security, Virtualisation Security )

http://www.schneier.com/blog/

http://www.securityfocus.com/vulnerabilities

http://securitymetrics.org/

http://appsecstreetfighter.com/ ( SANS )

http://www.us-cert.gov/cas/alerts/

http://www.us-cert.gov/cas/techalerts/index.html

http://www.vmware.com/resources/techresources/cat/91,98 ( VMware Security White papers )

http://www.WindowSecurity.com/

http://news.zdnet.com/ ...Especially the ZeroDay Blog

Security Metrics


http://www.securitymetrics.org/content/Wiki.jsp ( SecurityMetrics.org) https://www.metricscenter.net/ ( MetricsCenter.net ) https://www.metricscenter.net/index.php/mc-catalog.html ( Public Catalogue ) http://www.sans.org/.../a_guide_to_security_metrics_55 ( SANS Metrics paper )