How many of you have in-house designed web applications tied in to a backend database? Moreover, have these custom web applications been tested for vulnerabilities. The one thing that the myriad of web application exploits has taught us is that there is a large need for security testing. Anytime you introduce another dimension to your network it should be thoroughly tested. This is doubly so for anyone in the financial, automotive, and other such targeted sectors. I do say automotive because there have been several recent cases of "business intelligence" or more commonly known as corporate espionage involving automotive companies. It is far cheaper for a competitor to pay a professional hacker ten’s of thousands if they are going to get them corporate secrets worth millions or billions.

Technorati Tags: Web application security, Business intelligence, Audit

Well the folks at TJX who had their database breached have come up with a figure of $118,000,000 USD. That is the cost of the breach itself, and that includes the costs of liability and credits/debits which arose as a result of the lapse in security. In retrospect it would seem a bargain to have a well trained security staff in place, plus having outsourced third party audits of their network. Well hopefully TJX now realizes that network security is no longer an option, or a drain on resources, but rather a business enabler. I won’t my breath on getting a call from them though

Technorati Tags: TJX, Database, Computer security, Audit

It really is important that we as computer security professionals conduct ourselves in a professional manner. I see a lot of examples on a weekly basis where people who work in the industry shoot themselves in the foot, in quite often, spectacular ways. Seen as we all work in a medium which is Google indexed, then it makes sense to choose our words carefully. Even more so, when they might be visible for some time to come. It is always best to bite ones tongue, or take a night to cool off before responding to that email, or forum post. Look at it this way, if you are not sure about whether or not you should post that retort, or send that email, then odds are you shouldn’t. Remember, the Internet is largely a tone deaf medium, so choose your words carefully as they represent you, and your company.

Technorati Tags: Professionalism, Computer security, Google

Dave Aitel, CTO of Immunity has released their new debugger which was built using Python. It boasts the industries first heap analysis tool, and "analyze malware,
and reverse engineer binary files". I have not had a chance to play with it yet, but I’m fairly certain it will be quite good. On that note, many thanks to Dave Aitel and company for donating a ton of billable hours in order to develop Immunity Debugger and then release it for free.

Technorati Tags: Immunity debugger, Dave Aitel, Python, Heap analysis

There have been quite a few people, and some questionable research groups, who have claimed the Intrusion Detection System (IDS) to be dead. No longer a relevant technology and all that. Well I for one would disagree with that statement. While the IDS is not the end all be all of network security it is still a vital piece of it. The main problem with them is that the people who administer them often don’t have the requisite knowledge. They would be hard pressed to differentiate between and ICMP echo request and an ICMP echo reply. Much like any piece of network security technology, it is only as good as the person administering it.

Technorati Tags: Intrusion Detection System, IDS, Network Security, ICMP

Hi guys,

OSSEC will be releasing its latest offering this upcoming week. In case some of you have not heard of it, it is an open source, host based Intrusion Detection System (IDS). It does more then that though, log analysis, integrity checking, Widows registry monitoring to name but a few. Really quite a good security program, and to boot, it is free . You simply have to love open source. It would be great if they could also get a buck or two to help them along in their efforts. Check it out!

Technorati Tags: OSSEC, IDS, Log analysis, Integrity checking

VMware aware malware. Say that fast five times! It was only a matter of time really before malware authors began to build into their creations the ability to detect VMware. This technique has been in use for well over a year now, and is not exactly news. What is though is the ability to break out of the traditional model of malware. Much as the authors of this news piece allude to. One of the more interesting wrinkles in malware though is that of encrypting a users or networks hard drives and then holding them for ransom. That is something I wrote about well before it hit mainstream media, thank you very much! So on that note, have any of you guys retrieved any interesting pieces of malware on your networks???

Technorati Tags: Malware, VMware, Virus, Blackhat

If you are in the computer security industry, or a student of it, then it is likely that you have heard of fuzzing. This "fuzzing" is by no means new, but it remains a very effective technique to find flaws in software programs. Not only can you use fuzzing to find bugs in programs such as Internet Explorer and other web browsers, but you can also use fuzzing against network protocols. This is one area that is very much worth exploring if you are new to it. Quite a few fuzzing tools are out there to be used and are also free . Give it a shot, odds are you will find it a worthwhile endeavor.

Technorati Tags: Fuzzing, SPIKE, Network security, Web browser

For me scripting and programming have never really come easily. It is something that I need to work on, and continue to work at. Programming though, is something that I have pretty much given up on due to a lack of time. Scripting however is something that I force myself to keep picking at. The sheer versatility of being able to write scripts in PERL, Python or other such language cannot be stressed enough for the security professional. Actually I wrote a two part series on it that you may wish to give a read. It gives a pretty good example of just how versatile a tool, scripting can be. What I plan on doing in the short term is to try and devote an hour a day to scripting. A lofty goal I am sure, but one I will strive to attain. What about you guys, any preferred language?

Technorati Tags: PERL, Python, Ruby, Scripting

Well we pretty much all know that Intrusion Detection Systems (IDS) are a security program based on signatures. These signatures can be ASCII or HEX patterns, and ports, amongst other fields. Well while an IDS will not catch everything, especially 0 day, you can still try to catch the hacker who dropped a 0 day on you. How you ask??? Well most hacks have a predictable end state ie: remote code execution via a command shell or similar type strategy. Well the trick is to then build signatures to catch such outbound command sessions. Yep, that means stuff like c:’ and c:’windows’system32 and the such. That plus the xp_cmdshell which could be the result of an SQL hack. These are some of the obvious ones to look for. What takes time is to look for the not so obvious signs of outbound connectivity

Technorati Tags: Command shell, Remote code execution, Intrusion Detection System, IDS