As part of our popular series on assessment and mitigation of risk in an enterprise, I thought I’d put forward some thoughts on hiring practice and controls that can mitigate the risk posed by employees.
Hiring Practices
Firstly, and even before a prospective employee is brought in for interview, the organisation should understand what they are looking for. A comprehensive Job Description is essential. It should be used not only for long listing, but also as the basis for ongoing performance reviews.
Reference Checks should be used to determine the truthfulness of a …

Network Security Monitoring
Sguil (pronounced sgwheel) is a Network Security Analysis tool that facilitates the practise of Network Security Monitoring (NSM). Richard Bejtlich, a former Military Intelligence Officer with the US Air Force, now Director of Incident Response at General Electric, introduced the concept in his book, The Tao of Network Security Monitoring.
NSM involves the collection, analysis and escalation of warnings in order to detect and respond to network intrusions. It uses a traditional IDS system – like SNORT – as an alerting mechanism, but also relies on a full spectrum …

GreenSQL recently released version 1.20 of their SQL firewall. So, what does an SQL firewall do, how does it work, and how is it installed?
An SQL firewall acts as a proxy server for SQL requests. It blocks known administration commands (DROP, CREATE etc) and rates all others against a risk matrix, blocking those that are deemed to be malicious (e.g. as a result of SQL injection). It sites between the web application server (e.g. Apache) and the database server (e.g. MySQL or PostgreSQL). It is technically a reverse proxy (it …

Intego, a MacOSX only anti-virus vendor last week released some early details of Xprotect – the anti-malware system released by Apple with the Snow Leopard version of OSX.

Since then, Sophos have done some analysis of Xprotect and discovered that it is activated by an extended file attribute set by downloader applications like Safari, Mail, Firefox and Entourage.

How much information is available on those responsible for the koobface attack? One of the main attack servers – kukuruku-290709.com – is registered to Polev Andrei. This article looks for information on Andrei Polev using his name and e-mail address as a starting point.

Koobface migrated to Twitter and launched a posting frenzy at the end of last week. In a bit to avoid detection it is generating unique posts using bit.ly links and a series of suffixes including “;)” and “OMFG!!”. These are appended to the original “My home video” message.

Twitter suffered a well publicised denial of service last night. The attack, which succeeded in bringing down the service for over an hour, also caused problems for Facebook, LiveJournal and other social networking sites.

What is a Denial of Service (DoS) attack? Exactly what it says on the tin – an attack that denies a particular service to a target user or population. It could involve manipulating the computer of a single user to deny them access to the network or a particular website. Usually, though, it involves targetting a particular service at its source and denying it the whole population.

A threat is comprised of three components – an actor, their motivation and a vulnerability. Risk requires the presence of a threat and is based on the probability of a particular impact on the business as a result of that threat. If we wish to compare the risk profile of OSX to that of Vista or Linux, we should start by comparing each of the components of risk.

The topic of OSX security is the subject of fierce debate. Die-hard fans will swear that OSX is infallible, and opinion is certainly skewed by prejudice from advocates on both sides of the argument and the media. This article is therefore attempt to analyse the argument quantitatively – as far as that is possible – and produce an objective statement of risk.

The Google Hacking technique proved effective at searching for domains that include the in.cgi?x pattern highlighted as part of the Nineball (and probably many other) attacks. In addition to the domains already listed on this site, a number of additional sites were illuminated.

Domains directly associated with the Nineball attack:

rnw.kz
bro.tw
rmi.tw
molo.tw
zedi.tw
sovi.tw
dmr.tw
stopssse.info

Other domains exhibiting similar URLs, uncovered using Google Hacking are below. At least one (google-analytstic.com) also links to Nineball final page stopssse.info.

Websense Threatseeker is reporting a new obfuscated Javascript injection attack, this time affecting up to 40,000 websites.

If a user visits one of the infected sites, they are redirected through a series of different sites owned by the attacker and brought to the final landing page containing the exploit code …. The final landing page records the visitor’s IP address. When visited for the first time, the user is directed to the exploit payload site. But when visited again from the same IP address, the user is directed to the …

Introduction to WEP Cracking
This article introduces Wired Equivalent Privacy (WEP) for 802.11 wireless LAN networks, gives a brief overview of the cryptanalysis techniques against it and then demonstrates the use of the aircrack-ng tool.
The examples in this article are all based around 64 bit WEP though identical issues exist with 128bit WEP.
Wired Equivalent Privacy
All stations utilising WEP share a common root key. In 64-bit WEP this root key is 40-bits long. When a packet requires encryption a 24-bit Initialisation Vector (IV) is chosen (from a pool of 16,777,216 possible values). …

I’ve been running a Nepenthes low interaction honey pot over the last few months and have collected almost 900 binaries, 80 of which are unique. Upcoming posts will focus on static and dynamic analysis of some of this malware.
Geographic Source of Attacks
I used the new Fusion Tables service from Google to visualise the geographical sources of some of the attacks. The intensity map below shows that the majority come from the UK, Eastern Europe, Russia and China.

What is it?
Gumblar is the latest in a series of worm infestations that started with the Conficker outbreak in late 2008. Gumblar is a worm in two halves – a server infection with associated botnet, and a client infection with associated botnet.

Though the attack is circular, lets assume, for the sake of argument, that the attack begins with a victim browsing to an infected website. The site is infected with an injected Javascript. This Javascript downloads a further Javscript from one of a series of Chinese servers (most of …

In an attempt to gain a better understanding for who was registering Conficker.A/B DNS rendezvous points (either for interest, for malicious purposes or for sinkholing), I have used the downatool2 from Bonn University, Germany to calculate all the rendezvous points from January – May for Conficker.A and for B.
I ran WHOIS checks on all 90,000 names and extracted the registrant from those that exist. Where I could get an e-mail address I have, falling back on name or registrar where no e-mail address was available.
Conficker.A Analysis
Conficker.A domains were largely unregistered …