ShmooCon 2009 is starting tomorrow in Washington DC and it promises to be a good security conference. If you have never been, I highly encourage you to check out the videos from past conferences on youtube.

I thought this was pretty funny because of how true most of it is: How to Suck at Information Security

What struck me was the following line: “Ban the use of external USB drives while not restricting outbound access to the Internet.”

This sums up some of the most egregious mistakes in the information security — taking a vulnerability view versus a threat view of how to secure your infrastructure. USB drives typically pose a relatively small threat to an infrastructure compared with unfettered outbound Internet access, but many organizations I have worked with are doing just that.

Happy New Year, 2009. Every one makes some kind of resolution for the new year. I think it is the hope that we can somehow change the things that we least like about ourselves or our lives that causes us to make promises. Every year I resolve to lose weight, but somehow by the end of the year I am right back where I was before.

This year, I am resolving to write more and be more visible. I plan on writing regularly here about information security and the relationship it has with economics, politics, news, and other areas. Hope you enjoy, and if there is something you wish to comment on or suggest, please put it in the comments.

So, in honor of George Carlin, here is a list of 7 things that you can’t say if you are a security consultant:

7. Anti-virus has not and never will work.

6. Your vendor’s security product (X) will NEVER make you more secure.

5. Compromise is inevitable and there is nothing you can do to stop it.

4. Security professionals are completely unqualified for what they are doing.

3. Code will never be secure.

2. Defense in depth doesn’t work.

1. Security is an illusion and won’t ever be perfect. It hasn’t worked the physical world, and certainly won’t work in virtual worlds. Ever.

A little tongue-in-cheek, but let me know what you think.

Feel free to add to this in the comments.

I stumbled upon these Firefox plugins the other day that allow you to test websites against a set of predetermined XSS or SQL injection parameters on a given website. The tools include XSS-Me, SQL Inject-Me, and Access-Me, all designed to test the security of the website in an easy fashion:
http://www.securitycompass.com/exploitme.shtml 

I thought these were pretty cool. I ran it against a corporate email website that is commonly used and was surprised by the amount of XSS that was successful. Be careful not to fiddle with Firefox while this is running because it will destroy the test. Also, Firefox 2 ate up a lot of memory while doing this, so I wouldn’t run it on that 486 sitting in the corner.

This is freaking interesting. In case you haven’t heard about the encrypted letter that Fermilab was sent and asked for help breaking, here is some more information:

http://www.symmetrymagazine.org/breaking/2008/05/15/code-crackers-wanted/ 

http://www.jgc.org/blog/2008/05/breaking-fermilab-code.html

http://www.gmilburn.ca/2008/05/17/fermilabs-strange-letter-progress/ 

Also, a report of spiking scans for SSH brute force logins using common username and passwords:
http://www.securityfocus.com/news/11518

You can always run SSH over a different port than 22 if the firewall is configured for that. How about 2222? Make sure root is not allowed, and the username/password isn’t easy to brute force (30 character passwords with upper/lowercase letters, numbers, and special characters).
Of course, none of this matters if you have a rootkit keystroke logging on your computer (see previous article).

Have a nice day!

That shouldn’t come as a shock to anyone, but for those who still doubt and put their faith in AV for protection, read this article:

http://www.darkreading.com/document.asp?doc_id=153760&WT.svl=news1_2

Thought this was a pretty nice graphic from CSO Magazine (of all places) showing different botnets and how they map to the IPs and domains that serve as command and control:

http://www.csoonline.com/article/348317/What_a_Botnet_Looks_Like 

Symantec came out with their Internet Security Threat Report a couple of days ago:

http://www.symantec.com/business/theme.jsp?themeid=threatreport

The report of course suggests that Internet Security is getting worse and the bad guys are getting better, same story as always. One of the highlights though is they do acknowledge the targeted attack dangers, which is a big step forward for an anti-virus vendor:

Attackers have adopted stealth tactics that prey on end users on individual computers via the World Wide Web, rather than attempting high-volume broadcast attacks to penetrate networks. This may be because enterprise network attacks are now more likely to be discovered and shut down, whereas specifically targeted malicious activity on end-user computers and/or web-sites is less likely to be detected.

A good read for those who are interested in the new threat landscape.

There is a great article at CSO Magazine that goes over information all IT people should learn about, even if security isn’t their primary responsibility.

This article reinforces what I have been saying for awhile — one of the greatest threats to businesses around the globe is the current state of computer security and the lack of well crafted security programs to protect data and financials. In my opinion, companies and governments need to stop modeling their security programs on a prevention model and shift toward a detection / response model.

Found a pretty good blog post from the CTO of Big Fix that talks about why he believes securing an IT infrastructure is expensive for a variety of reasons:

http://techbuddha.wordpress.com/2008/01/23/the-high-cost-of-securing-it/ 

He also talks about strategies for approaching a CFO to justify spending of security dollars, which is interesting.

Interesting article on how some Maxtor external USB drives were shipped with malware that executed when plugged into Windows machines. The malware then exfiltrated the data stored on the drive to foreign websites. Fascinating article:
http://www.taipeitimes.com/News/taiwan/archives/2007/11/11/2003387202

Saw this post about a pretty comprehensive SQL Injection cheat sheet:

http://ferruh.mavituna.com/makale/sql-injection-cheatsheet/ 

Thought it went into some great detail, so check it out.

Also, this article was pretty good as well as an introduction to SQL injection:
http://webappsec.org/projects/articles/091007.shtml 

So this is not new, but I thought it was a nice illustration of the difficulty in trusting software.

FFsniFF is a Firefox sniffer that takes all HTML form input and emails it out. It even hides from the extension manager. Source is posted.

http://azurit.elbiahosting.sk/ffsniff/

Thought this was pretty funny: A trojan called Trojan.Kardphisher after installation and restart, pops up a Windows activiation form that asks for your credit card, CVV2 code, ATM pin:

Here is the Symantec information.

Great video and article about how some researchers hacked Cisco’s Network Access Control (NAC) solution:

http://www.net-security.org/article.php?id=1001 

Greylisting is a way to filter spam and viruses based on the premise that these MTAs (mail transfer agents) do not act like real MTAs do (like Exchange, Postfix, Sendmail, etc.). Greylisting works by rejecting any unknown triad (IP address, Dest address, Source address) for 5 minutes, with the assumption that a valid MTA will then try to resend again in 5 minutes, but a virus or spam won’t.

Postgrey is a greylisting spam/virus filter for postfix that works almost 95% (spamassassin picks up the rest).

Although greylisting is not a new concept, I just implemented it and it is working better than expected.

If you have any experience with this or alternative methods like statistical analysis, post a comment below.

Just stumbled across this elegant little fork bomb for Linux/Unix bash shells. Fork bombs perform a local DOS on a machine if the user is not limited to the number forks (usually set in /etc/security/limits.conf on Debian/Ubuntu systems).

From PacketFu blog:

. () { . | . & } ; .
0 1  2 3 4 5 6 7 8 9

0 - function name of our newly defined function
1 - parentheses declare a function with no (here optional) arguments
2 - block begins
3 - call self, the newly defined function (recursive)
4 - open a pipe to another process
5 - call self, the newly defined function (recursive)
6 - fork! (put the whole thing in the background)
7 - block ends
8 - end complex statement [ function declaration ]
9 - run that function!

Jay Beale, of Bastille Linux fame, has posted a skills challenge using themes from the HitchHiker’s Guide to the Galaxy on his Ethical Hacker website. It is a short story with clues to answer 5 questions at the end, with some fun basic web hacking skills along the way.
Here is the actual post detailing the challenge.  Fun!