Well I would imagine most of you have Virtual Private Network’s (VPN) on your corporate network. That plus the use of an IDS can potentially give you problems, as often the use of VPN’s will result in fragmented traffic. Had that very problem occur to me a couple of years ago, and the end result was some really bizarre fragmented traffic. It took a while to figure out what the problem was but eventually we were able to trace it back to the VPN. Any of you guys ever experience the same scenario?

Technorati Tags: VPN, Packet, Fragmented packet, IDS

2007 e-Crime Watch Survey and the 5th Annual Global State of Information Security

Awareness of information security and identity theft issues is at an all-time high, but overall security isn’t improving. Even with increased IT spending, security specialists are recognizing that the amount they don’t know is rapidly growing. The explosion of stealthy threats from bots, Trojans and rootkits continues to out pace most IT staff capabilities.

Date:Nov. 27, 2007

Time:2:00 PM ET

1:00 PM CT

12:00 PM MT

11:00 AM PT

Register for this event

Join us for a look at two recent surveys of security professionals, the 2007 e-Crime Watch Survey and The Fifth Annual Global State of Information Security. These 2007 surveys have been compiled from CERT, CSO Magazine, U.S. Secret Service, CIO, CSO and PricewaterhouseCoopers. This presentation will focus on the results, analysis and potential solutions for SMB organizations.

Technorati Tags: E-crime, Trojans, Bots, Rootkits

A good number of you are likely aware that Microsoft just issued another series of patches recently. I’m curious though to know if any of you have seen any activity that used these exploit vectors? Personally, I have not seen any such activity. It is always interesting to see just how widely exploited some of these vulnerabilities are prior to the actual patch announcements. Quite a few people have the skill to reverse engineer the patch, once released, and then find the problem. That is why things often pick up after a patch release.

Technorati Tags: Microsoft, Patch Tuesday, Exploit, Vulnerability

Well I have always known that ISP abuse departments are generally very lame. They never seem to bother returning any darn email that you send them. I recently had the need to try and find out what the heck an intermittent connection was doing. It was easily resolved the ISP but when I tried to surf to that IP address on port 80 there was nothing there. Strange. I thought my wife or son might have gotten me hacked . So I decided to send some packet logs to the ISP abuse department to investigate just why this IP addy with no web server was seeing SYN connect attempts by my computer.

07:52:41.875000 IP (tos 0×0, ttl 128, id 21722, offset 0, flags [DF], proto: TCP
(6), length: 48) 192.168.111.2.1374 > 209.123.81.159.80: S, cksum 0×727f (corre
ct), 3900559278:3900559278(0) win 65535 <mss 1460,nop,nop,sackOK>
0×0000: 4500 0030 54da 4000 8006 5328 c0a8 6f02 E..0T.@…S(..o.
0×0010: d17b 519f 055e 0050 e87d cfae 0000 0000 .{Q..^.P.}……
0×0020: 7002 ffff 727f 0000 0204 05b4 0101 0402 p…r………..

Well the abuse department never bothered to get back to me of course. Job well done ya bunch of idiot sticks. Nice to see your sad level of committment! Anyhow, I decided to run tcpdump.exe on my computer to try and find out what the heck was going on for as mentioned there was no web server at the IP addy. Well, it turned out to be much ado about nothing. It was Symantec dialing out for a/v updates.

07:52:41.906250 IP (tos 0×0, ttl 128, id 21728, offset 0, flags [DF], proto: TCP
(6), length: 126) 192.168.111.2.1375 > 209.123.81.159.80: P, cksum 0×5336 (inco
rrect (-> 0xdd11), 3653321399:3653321485(86) ack 3405129712 win 65535
0×0000: 4500 007e 54e0 4000 8006 52d4 c0a8 6f02 E..~T.@…R…o.
0×0010: d17b 519f 055f 0050 d9c1 42b7 caf6 27f0 .{Q.._.P..B…’.
0×0020: 5018 ffff 5336 0000 4745 5420 2f20 4854 P…S6..GET./.HT
0×0030: 5450 2f31 2e30 0d0a 5573 6572 2d41 6765 TP/1.0..User-Age
0×0040: 6e74 3a20 436f 6e6e 6563 7469 7669 7479 nt:.Connectivity
0×0050: 0d0a 486f 7374 3a20 7777 772e 7379 6d61 ..Host:.www.syma
0×0060: 6e74 6563 2e63 6f6d 0d0a 5072 6167 6d61 ntec.com..Pragma
0×0070: 3a20 6e6f 2d63 6163 6865 0d0a 0d0a :.no-cache….

The reason I didn’t see a webserver there is evident in the packet below.

07:52:41.921875 IP (tos 0×0, ttl 57, id 63965, offset 0, flags [DF], proto: TCP
(6), length: 215) 209.123.81.159.80 > 192.168.111.2.1375: P, cksum 0×3598 (corr
ect), 3405129712:3405129887(175) ack 3653321485 win 5840
0×0000: 4500 00d7 f9dd 4000 3906 f47d d17b 519f E…..@.9..}.{Q.
0×0010: c0a8 6f02 0050 055f caf6 27f0 d9c1 430d ..o..P._..’…C.
0×0020: 5018 16d0 3598 0000 4854 5450 2f31 2e30 P…5…HTTP/1.0
0×0030: 2033 3031 204d 6f76 6564 2050 6572 6d61 .301.Moved.Perma
0×0040: 6e65 6e74 6c79 0d0a 5365 7276 6572 3a20 nently..Server:.
0×0050: 416b 616d 6169 4748 6f73 740d 0a43 6f6e AkamaiGHost..Con
0×0060: 7465 6e74 2d4c 656e 6774 683a 2030 0d0a tent-Length:.0..
0×0070: 4c6f 6361 7469 6f6e 3a20 6874 7470 3a2f Location:.http:/
0×0080: 2f77 7777 2e73 796d 616e 7465 632e 636f /www.symantec.co
0×0090: 6d2f 696e 6465 782e 6a73 700d 0a44 6174 m/index.jsp..Dat
0×00a0: 653a 2057 6564 2c20 3037 204e 6f76 2032 e:.Wed,.07.Nov.2
0×00b0: 3030 3720 3132 3a35 303a 3137 2047 4d54 007.12:50:17.GMT
0×00c0: 0d0a 436f 6e6e 6563 7469 6f6e 3a20 636c ..Connection:.cl
0×00d0: 6f73 650d 0a0d 0a ose….

So I was happy to have figured out this mystery and realize I had not been hacked somehow. That said, would it have really been that hard for those lazy wankers at the abuse department to tell me that Symantec used to have a server there???

Technorati Tags: ISP, Abuse, Symantec, Tcpdump, Packet analysis, Packet

As attackers continue to target software packages such as Quicktime, amongst others, it makes one wonder if more companies should not clamp down on their software baseline installs. While Microsoft has steadily improved the security of their operating systems it only makes sense then for hackers to shift their focus. This is where having a sane software baseline is very important for a corporate network. There is really little need to install Quicktime to list but one example. Too many employees expect their company to also act as an ISP while forgetting they are there to work. Having a software baseline is one way to deal with not only employee surfing but also to help secure the network itself. Any of you guys have such a policy in place at work?

Technorati Tags: Quicktime, Microsoft, Software baseline, ISP

If you ask me the trend of the last few years, which has seen a tremendous amount of consolidation in the computer security industry, is not really a good thing. Now Symantec has bought out another company in order to round out its product offerings. It is not often that you will see large companies being at the forefront of innovation. This is why it does not really bode well for us as a whole. Another example of this is IBM and others companies going on a recent buying spree. Its great news for the owners and or shareholders of the bought out companies, but not so great for the rest of us. Time will be the ultimate judge of this though.

Technorati Tags: IBM, Watchfire, Symantec

It was with some amusement that I read the following. I don’t know why they need a whole task-force composed of experts to come up with a strategy to better safeguard their cyber assets. Much as we all know, it all comes down to implementing standard procedures. The key though is in making sure the foot-soldiers ie: the sys admin’s actually implement this plan. Point in case, how often have we seen systems hacked because they did not have a patch installed, or a system actually connected to the Internet while it was being hardened . Let’s not over complicate things here. Stick to the basics and make darn sure that you actually stick to the game plan.

Technorati Tags: Cybersecurity, Network Security, Hack

Most of you have likely heard about the recent surge in the use of the Adobe PDF exploit. Personally, I have received a few emails containing it but I was not able to actually look at the attachment. It was too late, as my provider had caught it. Kind of a bummer as I wanted to crack it open in a hex editor and also Olly. Have any of you been getting these attachments at your work or home? The volume does not seem to be too bad so far. If any of you have got a sample feel free to send it my way. Send me an email first though .

Technorati Tags: PDF exploit, Adobe, Microsoft, Virus

Well, if there was ever a doubt that spyware is big business give the following a read. I seriously doubt anyone will shed a tear now that the company has shut its doors. It is hard to comprehend though just how spyware can be so lucrative. That said, when you have millions of computers at your disposal, so to speak, the revenue can quickly add up. It is nice to see also that the government is taking this type of electronic annoyance more seriously by beginning to hand out some stiff fines.

Technorati Tags: Spyware, Trojan, Virus, Exploit

I just read this piece on identity theft. So it then came as a funny coincidence that my insurance policy came to me in the mail. Part of my policy gives me coverage for identity theft. A whopping $10,000.00 is what I am covered for. There is little doubt that identity theft is a real problem. Question is though, just how widespread is it? To my knowledge there is no one that I know who has been a victim of this. What about you guys? Anyone you know affected by this?

Technorati Tags: Identity theft, Computer security