Intrusion Detection RFCs

There are now three RFCs regarding Intrusion Detection :

• RFC 4765: The Intrusion Detection Message Exchange Format (IDMEF)


• RFC 4766: Intrusion Detection Message Exchange Requirements


• RFC 4767: The Intrusion Detection Exchange Protocol (IDXP)

Paper : Case of Mistaken Identity

A University of Washington researchers Kris Erickson and Philip Howard have an interesting new paper out, "A Case of Mistaken Identity? News Accounts of Hacker and Organizational Responsibility for Compromised Digital Records, 1980–2006." This is a great survey of the dramatic explosion in reports of breaches. A couple of great quotes:

One important outcome of the legislation is improved information about the types of security breaches. Many of the news stories between 1984 and 2004 report palty details, with sources being off the record and vague estimates of the severity of the security breach. Since mandatory reporting legislation in many states, most news coverage provides more substantive details. In 2006, only 10 of the 257 news stories were unable to make some attribution of responsibility for a security breach. (Emphasis added.)

Hardware-based rootkit detection proven unreliable

From ZDNet :

For years, we've been convinced by companies like Komoku and BBN Technologies that hardware-based RAM acquisition is the most reliable and secure way to sniff out the presence of a sophisticated rootkit on a compromised machine.

Joanna Rutkowska, a security researcher at COSEINC Malware Labs, an elite hacker who specializes in offensive rootkit research, has found several ways to manipulate the results given to hardware-based solutions (PCI cards or FireWire bus).

At this year's Black Hat DC conference, Rutkowska demonstrated three different attacks against AMD64 based systems, showing how the image of volatile memory (RAM) can be made different from the real contents of the physical memory as seen by the CPU.

You can find out more about this from Rukowska's presentation slide.

Vista Research Papers

Symantec has released the first three of six technical research papers evaluating Windows Vista security components.

The research papers cover a range of Vista security mechanisms in-depth, from its Address Space Layout Randomization (ASLR) technology designed to thwart heap overflows and certain malware attack methods, to buffer overflow protection in Vista's Visual Studio C++ compiler and an evaluation of how well legacy malware works on Vista's OS.

The first paper is designed for technical managers and other IT professionals who want to understand the effectiveness of Windows Vista’s new security technologies. This paper will be valuable to decision makers who need to get a practical understanding of Windows Vista’s true security posture.

Threats from Within

From DarkReading :

Enterprises are leaking an increasing amount of data from the inside, and they aren't sure what to do about it.

Those are the conclusions of two new studies -- one from the Ponemon Institute and one from Enterprise Strategy Group -- being published today. Both of the reports suggest that enterprises should be shifting their security attention from the outside to the inside.

The new Enterprise Strategy Group report found that one third of the enterprises surveyed had experienced a loss of sensitive data in the last 12 months, while another 11 percent were unsure whether a breach occurred.

According to the new Ponemon study, nearly 60 percent of U.S.-based businesses and government agencies believe they are unable to effectively assess or quantify insider threat risks within their organizations, leaving them open to privacy breaches, failed audits, and potential fraud or misuse of data.

Open Source Web App Security

I read a blog posting by Ed Finkler "Do Open Source Devs Get Web App Security? Does Anybody?".

In it he described disturbing statements contained in one of Open Source Content Management System :

A colleague of mine who is dealing with Plone, a CMS system built atop Zope, pointed me to a rather disturbing documents in the Plone Documentation system, one that I feel is indicative of a much larger problem in the web app dev community.

The first describes a hole (subsequently patched) in Plone that allowed users to upload arbitrary Javascript. Apparently no input or output filtering was being done. Certainly anyone familiar with XSS attacks can see the potential for stealing cookie data, but the article seems to think this is simply a spam issue.

In closing, Ed Finkler gives blunt statements :

A web developer is not qualified to do the job if he or she does not have a good understanding of web application security concepts and techniques. Leaders of development teams must stop allowing developers who are weak on security techniques to contribute to their products, and managers need to stop hiring candidates who do not demonstrate a solid secure programming background. If they continue to do so, they demonstrate a lack of concern for the safety of their customers.

NIST Publication on IDS and IPS technology

NIST have released a new publication (SP800-94) that covers just about everything you can think of when it comes to IDS and IPS. The report is titled "Guide to Intrusion Detection and Prevention Systems (IDPS)".

Why blurring sensitive information is a bad idea

Dheera Venkatraman has published an article describing how to attack blurring image to conceal information.

In the article, he describes :

Undoubtedly you have all seen photographs of people on TV and online who have been blurred to hide faces.

For the most part this is all fine with peoples' faces as there isn't a convenient way to reverse the blur back into a photo so detailed that you can recognise the photo. So that's good if that is what you intended. However, many people also resort to blurring sensitive numbers and text. I'll illustrate why that is a BAD idea.

And he gives suggestion to conceal information in images, we should just color over them.

NIST Releases New Information Security Documents

The National Institute of Standards and Technology (NIST) has released two new information security documents.

• NISTIR 7359, "Information Security Guide for Government Executives," is designed to "assist senior leaders in understanding how to oversee and support the development and implementation of information security programs."

• NISTIR 7358, "Program Review for Information Security Management Assistance (PRISMA)" describes "a methodology developed by NIST for reviewing complex requirements and posture of a federal information security program."

SQL in Chocolate Cover

I got the following picture from Jeremiah Grossman's blog.


I highligthed the SQL code for your easy reading. :D

Link : Beyond The CPU: Cheating Hardware Based RAM Forensics

Joanna Rutkowska posted a blog about "Beyond The CPU: Cheating Hardware Based RAM Forensics".

Here is the main point of the blog :

The whole idea behind hardware based RAM acquisition is that the process of reading the memory is using Direct Memory Access (DMA) to read the physical memory. DMA, as the name suggests, does not involve CPU in the process of accessing memory. So, it seems to be a very reliable way for reading the physical memory…

But it is not! At least in some cases...

I look forward to read her presentation about this after her BlackHat DC conference.