SecurityFocus published a great two-part article entitled Detecting Worms and Abnormal Activities with NetFlow (part 1 & part 2). If you have Cisco or other NetFlow-capable network equipment, I highly recommend these articles. They're not terribly technical, but they are a great overview of what NetFlow is and how you can use it to look for some common signs of malicious activity.
Thursday, September 30, 2004
Wednesday, September 29, 2004
Here's another SecurityFocus article for you today: Wireless Attacks and Penetration Testing (part 1 of 3). This is not a technical how-to article, but more of an overview of the process.
BTW, for more a more thorough treatment of this subject, I can highly recommend Wi-Foo: The Secrets of Wireless Hacking by Andrew Vladimirov, Konstantin V. Gavrilenko and Andrei A. Mikhailovsky. I recently picked up a copy and was quite impressed. Expect a review soon at my other blog InfosecBooks.Com.
Posted by David Bianco at 11:28 AM
SecurityFocus has published a piece called Defeating Honeypots: Network Issues, Part 1. In this case, "defeating" means to identify the system as a honeypot. The article is a bit light on technical details at first, but it gets a little more interesting near the end. It's a good read if you're planning to deploy a honyepot.
Posted by David Bianco at 11:21 AM
Thursday, September 23, 2004
... and, according to CNet's News.Com, this gun is called "IE patches". Apparently, Microsoft has decided to no longer issue IE updates for Windows versions older than XP. If true, this will be a major blow to over 200,000,000 users of older Windows products.
I checked the Microsoft website and couldn't find a press release or other documentation about this, so I hope it's a false rumor. If anyone can point to information either confirming or denying this, please let me know.
Update 2004/09/23 14:58 Just to be clear, this is only about new security features, not about security patches. So the XP SP2 improvements, for example, won't be backported. As far as I know, security patches for existing features will still continue.
Posted by David Bianco at 11:04 AM
Tuesday, September 21, 2004
Yeah, ok, this isn't my usual fare on this blog, but I just finished watching my newly-acquired WarGames DVD. I'm astounded at how well this movie holds up two decades after it's original release. Soviet era FUD aside, you could almost shoot the same script today. The computers would be smaller (no 8" IMSAI floppy drives) but hacking really hasn't evolved as much as you might think. We still use war dialers to find rogue modem lines, and people still use weak, guessable passwords for important accounts.
Ok, I'm off the soapbox now. I love this movie...
I wasn't originally going to post about this, but then I came to realize how incredibly significant this is. AOL, ISP to the digital huddled masses, has decided that passwords will no longer cut it, and is moving to RSA's SecurID tokens.
Everyone knows it's the right thing to do. Password technology hasn't changed much in the last few decades, and with increasing amounts of CPU power, RAM and disk space, the future is looking grim for single-factor authentication.
Most organizations have been holding off two-factor authentication, though, due to both the extra cost and the perceived deployment difficulty. If giant AOL can work it out, this could clear the way for a lot of smaller-scale deployments.
I can't wait to read a case study on this.
Posted by David Bianco at 1:04 PM
Monday, September 20, 2004
I just saw this article today, entitled "VMWare Takes Virtual Machines Mobile". At first I thought it was about VMWare access from Windows CE or something, but that's not it at all. Apparently VMWare has leveraged their virtual machine technology to provide locked-down endpoint workstation images that can be centrally managed to ensure compliance with IT and security policies.
Here's the scenario I found most interesting: Apparently, you can load OS + applications onto a single DVD, then install that on an untrusted computer, like an employee's home PC. He can run that OS in a VMWare virtual machine, and use the 'trusted" image to connect back to the secure corporate LAN, without fear of some virus or other malware leaking through.
Of course, this isn't perfect security, since an attacker could still log your keystrokes or even theoretically modify or break into the VM image, but it seems like a useful layer of extra security, provided the endpoint hardware is up to the task.
Posted by David Bianco at 2:23 PM
Wednesday, September 15, 2004
While I'm posting news clippings, here's a great one. These guys are not just being paid to hack, they're being paid to hack critical public infrastructure. To all you guys (and girls?) at INEEL: You have my dream job. Take good care of it.
Posted by David Bianco at 2:45 PM
This article has been popping up over most of the security sites today. Basically, some researchers at Harvard, Boston University and BBN have created an optical network
that serves up web pages and basically acts like a regular LAN, by all accounts. The difference is that the simple act of eavesdropping on a communication disrupts it, so if your information makes it across the network, you know it remained private.
Actually, it's a bit more complex than this. Apparently all the data is encrypted using conventional symetric encryption and sent via a conventional network. The article implies that the photons are carried over a separate network, and are used to exchange encryption keys. This doesn't seem very practical right now, since we already have good algorithms for exchanging private key data over public networks. Also, good encryption is easy to come by, and fairly fast on today's hardware. Presumably the researchers in this project have bigger plans. I'm really looking forward to hearing what they are.
Posted by David Bianco at 2:28 PM
Thursday, September 09, 2004
Tuesday, September 07, 2004
Thursday, September 02, 2004
Wow. RTIR looks just like what I need. It's a full-blown trouble ticket reporting system that's been customized to handle Incident Response duties. It has a fully scriptable engine, and does neat things like automatically correlate IP addresses between incidents or investigations, integrate whois/traceroute lookups and provide workflow management. You can even add custom scripts into it to extend it to features in your own environment. This looks nice to me. Does anyone else know of anything similar?
Posted by David Bianco at 1:34 PM
Wednesday, September 01, 2004
This is a very good, simple Q&A about the recent controversy about hashes being broken (or not broken, as the case may be). This is by far the most simple explanation I've found about what this means for those of us who are not cryptographers, but use hashes every day. Think "digital signatures", "tripwire" and the like. Read it. Really.
Posted by David Bianco at 8:13 PM