May 2012
3 posts
2 tags
5 Favorite Security Reads of the Week
Here’s a listing of my 5 favorite on-line security articles, papers and blog posts that I read in the past week:
Why the Public Cloud Shuns Security by Branden Williams
SEC Guidance Is a Really Big Deal by Richard Bejtlich
How Long Until Apple iOS Needs Its Own Patch Super Tuesday? by Mark Kelly
Cyber Espionage & Strategic Web Compromises by Steven Adair and Ned Moran
Why Info Sec...
3 tags
How Malicious Code Can Run in Microsoft Office...
One of the most effective methods of compromising computer security, especially as part of a targeted attack, involves emailing the victim a malicious Microsoft Office document. Even though the notion of a document originally involved non-executable data, attackers found ways to cause Microsoft Office to execute code embedded within the document. Below are 4 of the most popular techniques used to...
5 tags
Confusing the Padlock and the Favicon in the Web...
Web browser makers are continuing to change how they display two visual elements that people have been taking for granted: the padlock that designates an HTTPS connection and the favicon that acts as the thumbnail of the website’s visual identity. These changes are aimed at helping to minimize the risk that a favicon that looks like a lock might instill a false sense of security.
Users of...
April 2012
3 posts
2 tags
5 Favorite Security Reads of the Week
Here’s a listing of my 5 favorite on-line security articles, papers and blog posts that I read in the past week:
Security Failure Scenarios by Gunnar Peterson
Big Brother Forensics: Device Tracking Using Browser-Based Artifacts (Part 1) by Chad Tilbury
What’s RIGHT with Infosec by Dave Shackleford
Trojan moves its configuration to Twitter, LinkedIn, MSDN and Baidu by Snorre...
5 tags
Slides for Presentation on Real-World Social... →
I published the slides to my presentation “How attackers use social engineering to bypass your defenses,” which shows numerous examples of real-world social engineering attacks. These materials are designed to help you improve the relevance of your security awareness training and to adjust your data defenses by revisiting your perspective of the threat landscape. They cover techniques...
3 tags
Are Anxious People More Vigilant in Information...
Common wisdom suggests that anxious individuals are better at spotting danger than those with more mellow personalities. However, research by Tahl Frenkel and Yair Bar-Haim indicates that the opposite may be true: People with nonanxious personalities might be more skilled at spotting the early signs of trouble. This finding could highlight the type of people best suited for information security...
March 2012
4 posts
2 tags
4 Favorite Security Reads of the Week
Here’s a listing of my 4 favorite on-line security articles, papers and blog posts that I read in the past week. This week I’m featuring a series of articles that profile Anonymous that were written by Josh Corman and Brian Martin:
Introduction & Approach
Fact vs Fiction
How We Got it All Wrong
How Anonymous Has Failed in Theory & Practice
Also, during the past week I...
4 tags
The Risks of Remote Desktop for Access Over the...
It’s convenient to use the Remote Desktop Protocol (RDP) for accessing systems over the Internet, especially in server environments. However, exposing RDP to direct connections is risky. This setup not only gives remote attackers the opportunity to guess logon credentials, but also relies on the lack of a remotely-exploitable vulnerability in Microsoft’s RDP implementation.
...
3 tags
5 tags
“I recognize that my code will be used in ways I cannot anticipate, in ways it...”
– An excerpt from the Rugged Software Manifesto
February 2012
7 posts
2 tags
5 Favorite Security Reads of the Week
Here’s a listing of my 5 favorite on-line security articles, papers and blog posts that I read in the past week:
More or Less by Dan Geer (PDF)
The SpyEye Competitive Landscape by Gunter Ollmann
Password Check by Frank Lesser
Trojan Caught on Camera Shows CAPTCHA is Still a Security Issue by Elad Sharf
Vishing: To Have Your Identity Stolen, Press One by Idan Aharoni
Also, during the...
3 tags
Why Are Executives More Prone to Accept Risks?
Information security professionals are often frustrated when their concerns regarding vulnerabilities and associated threats appear to be ignored by the company’s executives. I already discussed 6 reasons why business managers ignore IT security risk recommendations. I’d like to add a few more to the list, based on recent research into the links between power, prestige and...
6 tags
An Example of SMS Text Phishing
Phishing—a technique grounded in social engineering—remains an effective way for attackers to trick people into giving up sensitive information. Potential victims can be contacted by email, fax, phone calls and SMS text messages. Below is an example of such a scam sent through SMS—a practice sometimes called smishing.
In this case, the recipient is requested to visit...
3 tags
The Role of a Resume in an IT Job Search
Although people tend to rely too much much on a resume during an IT job search, having a strong resume is still necessary for many job applications and candidates. In my mind, the goal of a resume is primarily to get past the initial screening, which is often conducted by an HR representative or a recruiter.
A good resume allows the candidate to reach the hiring manager and start deeply...
3 tags
Hiring a Software Engineering Manager in Dallas,...
Update: This position has been filled.
I’m looking for a software engineering manager to join my team at NCR in Dallas, TX. The person supervises the team’s activities, motivating team members and instituting processes for Agile-inspired development practices. The manager is responsible for the team meeting its commitments and works closely with the team’s technical lead to...
5 tags
Who Was The First To Use The Term Exfiltration?
Information security professionals seem to use the word exfiltration with increasing frequency. However, it remains a relatively geeky way of referring to the process whereby data leaves a compromised network. That’s why I was surprised to see VeriSign use this term to describe its 2010 data breach in a 2011 SEC filing when saying, “Information stored on the compromised corporate...
4 tags
Some Facts and Conjecture About the VeriSign Data...
The web is abuzz with stories about the 2010 data breach that VeriSign reported in its Oct 28, 2011, 10-Q statement. The document devotes a couple of paragraphs to the breach and includes the following:
“In 2010, the Company faced several successful attacks against its corporate network in which access was gained to information on a small portion of our computers and servers. We have...
January 2012
4 posts
4 tags
Anticipating The Future of User Account Access...
We might learn what the future holds for information technology by observing how teens use IT. After all, a decade or so from now, today’s teenagers will be consuming, influencing and creating a significant portion of IT products and services. In this note I’d like to consider how today’s use of shared user accounts among teens might influence our future access restriction...
4 tags
Dealing With The Illusion of Invulnerability in...
People overestimate their immunity to threats in many situations. One such example is discussed in a research paper by Grant and Hofmann, which explores how to motivate hand hygiene among healthcare professionals. Their findings might apply to other areas where individuals experience the illusion of invulnerability, including information security.
According to the researchers, doctors and...
3 tags
“2012 may well become known as the year the criminal underground started getting...”
– Brian Krebs, discussing the search engine that “aggregates data about compromised payment cards, and points searchers to various fraud shops selling them.”
7 tags
Using Free Windows XP Mode as a VMware Virtual...
It’s becoming hard to obtain a licensed copy of Windows XP. Yet, many IT professionals, including malware analysts, like having Windows XP in their virtualized labs. After all, Windows XP is still running on numerous personal and business systems. Fortunately, you can download a virtualized instance of Windows XP from Microsoft for free if you are running Windows 7 Professional, Enterprise,...
December 2011
4 posts
6 tags
New Release of the REMnux Linux Distro is Now...
I’m happy to announce the release of version 3 of the REMnux Linux distribution for reverse-engineering malware. This release incorporates many usability improvements, software updates and new tools to make the environment even more useful for analyzing malicious software.
REMnux is available as a VMware virtual appliance and as an ISO image of a Live CD. The easiest way to get started...
2 tags
5 Favorite Security Reads of the Week
Here’s a listing of my 5 favorite on-line security articles, papers and blog posts that I read in the past week:
Lost USB Keys Have 66% Chance of Malware by Paul Ducklin
Changes Coming to the CISO Role by Jon Oltsik
Twitter Bots Drown Out Anti-Kremlin Tweets by Brian Krebs
Common Ways Security Fails People by Ben Tomhave
Manipulating Windows File Protection and Indicators of Compromise...
2 tags
5 Favorite Security Reads of the Week
Here’s a listing of my 5 favorite on-line security articles, papers and blog posts that I read in the past week:
Analyzing Malicious Files for Writing Network Signatures by Umesh Wanve
SMS Trojans: All Around the World by Denis Maslennikov
Verified by Visa? by Rik Ferguson
Stealing Apps, Installing Ads by Tim Armstrong
China’s Great Firewall Tests Mysterious Scans On Encrypted...
5 tags
Incident Response on 64-Bit Windows Using 32-Bit...
Incident responders and forensic investigators need to be careful when using 32-bit tools to examine file system artifacts on 64-bit Windows. Christian Wojner documented the issue in a paper titled The WOW-Effect. He demonstrated how the WOW64 File System Redirector built into 64-bit Windows transparently redirects 32-bit tools’ access to core OS directories and registry values. This is...
November 2011
5 posts
3 tags
Balancing Brevity and Verbosity in Business...
“The most valuable of all talents is that of never using two words when one will do,” proclaimed Thomas Jefferson a few centuries ago. Succinctness seems more valuable in the 21st century, where we’re bombarded by words in spoken and written forms. However, knowing how to be brief is no less critical as knowing when to be brief.
I generally recommend assuming that the audience...
2 tags
5 Favorite Security Reads of the Week
Here’s a listing of my 5 favorite on-line security articles, papers and blog posts that I read in the past week:
The Duqu Saga Continues: Enter Mr. B. Jason and TV’s Dexter by Alexander Gostev
A New Cybersecurity Research Agenda (In Three Minutes or Less) by Dan Geer
Facebook Likes and Cold-Call Scams by David Harley
APEC SpearPhish by Kahu Security
Managed Services in a Security...
7 tags
Extracting Malicious Flash Objects from PDFs Using...
PDF files designed for infecting computer systems can include a malicious Flash/SWF program that’s designed to aid in exploiting a vulnerability in Adobe Reader or Flash Player. In an earlier article I explained how to extract SWF object from a PDF file using PDF Stream Dumper and pdf-parser. A new tool SWF Mastah, by Brandon Dixon, can assist with this process as well.
SWF Mastah makes use...
3 tags
Preparing The Next Release of REMnux Distro
Update: REMnux v3 is out!
I’m preparing the next release of the REMnux Linux distribution. REMnux is a lightweight Linux distribution for assisting malware analysts in reverse-engineering malicious software. To date, the distro has been downloaded about 20,000 times in its live CD and virtual appliance forms.
I expect the new REMnux release (version 3) to incorporate the following major...
2 tags
5 Favorite Security Reads of the Week
Here’s a listing of my 5 favorite on-line security articles, papers and blog posts that I read in the past week:
Applied Network Security Analysis: The Malware Analysis Use Case by Mike Rothman
Stolen Password Checking: A Question of Trust by David Harley
Intro to HDMoore’s Law by Josh Corman
Breaking Into the Digital Forensics Field: Melia Kelley’s Path by Michael Kassner
...
October 2011
16 posts
4 tags
Assigning Descriptive Names to Malware - Why and...
In addition to naming malware according to predictable formats, as I described earlier, security firms often assign descriptive names to high-profile malicious programs. The researcher who coins the name that sticks, should the specimen gain notoriety, gets bragging rights. The person’s employer might also benefit from a slight marketing boost.
It’s natural for a researcher...
2 tags
5 Favorite Security Reads of the Week
Here’s a listing of my 5 favorite on-line security articles, papers and blog posts that I read in the past week:
The End of Hearsay by Craig Wright
Data Exfiltration and Output Devices - An Overlooked Threat by George Silowash
Inside Facebook’s Massive Cyber-Security System by Jim Giles
The Mystery of Duqu: Part Two by Aleks Gostev
Capability and Maturity Model Creation in...
3 tags
The Adversarial Cycle of Computer Attacks and...
Understanding the dynamics of the actions taken by computer attackers and defenders is tricky, in part because attackers’ motivations and methods vary. Tao Stein, Erdong Chen and Karan Mangla defined a promising model, called the adversarial cycle, in the paper that describes the Facebook Immune System. The authors described the cycle using a diagram that I recreated below:
The authors...
4 tags
How Security Companies Assign Names to Malware...
There have been several attempts to standardize the conventions used to name malware samples. Yet, picking malware names in a consistent manner is harder than one might assume. Security companies tend to assign names to malware according to variations of the CARO naming scheme. CME was another effort for assigning identifiers to malicious programs; this project focused on high-profile malware and...
5 tags
3 Free Tools to Fake DNS Responses for Malware...
When analyzing malware using behavioral techniques, it’s often useful to intercept network connections in your lab. Since malicious software commonly uses hostnames when communicating with network resources, you can redirect such connections by defining the desired hostname to IP address mapping. Here are 3 free tools that can make it easy to accomplish this.
Rather than providing the...
2 tags
5 Favorite Security Reads of the Week
Here’s a listing of my 5 favorite on-line security articles, papers and blog posts that I read in the past week:
SpyEye vs. Tracker by Dmitry Tarakanov
Dirt Jumper DDoS Bot - New Versions, New Targets by Andre’ M. DiMino and Mila Parkour
Think About What You Want From Your QSA/QSAC by Martin McKeay
The Evolution of Memory-Only Malware by Martin Pillion
Software Pirate Cracks...
4 tags
How Antivirus Software Works: 4 Detection...
Though endpoint antivirus tools may differ in their implementation of malware-detection approaches, the tend to incorporate the same 4 essential techniques. In an article for SearchSecurity, I described at a high level how these techniques function, covering:
Signature-based detection
Heuristics-based detection
Behavioral detection
Cloud-based detection
Read the full article to more about...
3 tags
I'm Hiring a Manager for My IT Services Team in...
As you might know, I am leading a growing division at Radiant Systems (now part of NCR Corporation) that provides managed security and related services to small and midsize businesses. I’m looking to hire a manager in Dallas, TX, with experience in supervising a team that delivers IT services.
This is an excellent time to join the team, as you’ll have the opportunity to shape the...
3 tags
“APT is a geopolitical problem.”
– Eric Huber, sharing his perspective on the context within which APT attacks occur.
2 tags
5 Favorite Security Reads of the Week
Here’s a listing of my 5 favorite on-line security articles, papers and blog posts that I read in the past week:
Malware using the Local Group Policy to Gain Persistence by Martin Pillion
Best Practices for Reporting Badware URLs by StopBadware
DDoS Watch: Keeping an Eye on Aldi Bot by Curt Wilson
The State of Hacked Accounts by Commtouch
Microsoft Breaks New Legal Ground by Benjamin...
5 tags
Capabilities and Limitations of Enterprise...
Standalone antivirus products have matured to encompass a variety of tools for securing endpoints in an enterprise setting. As the threats associated with malicious software increase in sophistication, so do the capabilities of antimalware tools. Understanding the capabilities and limitations of components that form such a suite is critical to selecting the right product and deriving value from...
4 tags
Looking for Infected Systems as Part of a Security...
There are many types of information security assessments. These projects typically look for security weaknesses, so that the organization can address the issues in a prioritized manner. The results of the assessments, especially those focused on identifying internal IT infrastructure vulnerabilities are often the same: the organization lacks critical security patches, which puts its data at...
3 tags
The Need for Ethics When Researching Social...
Tactics that incorporate social engineering can be highly effective at bypassing security controls. Perhaps we are vulnerable to social engineering because of the traits and behaviors that allow us to quickly make decisions that sometimes turn out to be wrong. It’s important to study and understand such persuasion approaches, so we can adjust defenses appropriately. Yet, such research...
2 tags
Featured Security Posts from September 2011
Now that a new month is upon us, I wanted to highlight several posts I wrote on this security blog in September 2011:
Twitter Social Networking Among Information Security People
Review Resumes to Understand Your Career Options
9 Convenient Lies in Information Security
Design Information Security With Failure in Mind
Explaining Computer Security Terms to Ordinary People
I covered several...
5 tags
“The bad guys could be badder, but most chose not to be.”
– Brandon Dixon, discussiong obfuscation techniques that would complicate malware analysts’ efforts to analyze malicious PDF files.
2 tags
5 Favorite Security Reads of the Week
Here’s a listing of my 5 favorite on-line security articles, papers and blog posts that I read in the past week:
How Kaspersky Lab Disabled the Hlux/Kelihos Botnet by Tillmann Werner
How Two Scammers Built an Empire Hawking Sketchy Software by Benjamin Wallace
Enterprise Anti-forensics by Andrew Valentine
Force Attacker Perfection by Rich Mogull
Relations Between Spammed Malware by...
September 2011
24 posts
6 tags
8 Reasons for Denial-of-Service (DoS) Attacks
Denial of Service attacks (DoS) affect numerous organizations connected to the Internet. They distrupt normal business operations, are practically impossible to prevent and are costly and time-consuming to handle. It pays to spend some time understanding the way a DoS inicident might affect your organization and how you might handle the situation.
One way to start thinking about your ability to...
5 tags
WatchUsing ICMP Reverse Shell to Remotely Control a Host
Tightly restricting the traffic that leaves the protected network for the Internet is hard without breaking important applications. Among the protocols that are often allowed to cross the Internet boundary is ICMP, which helps ensure the reliable transmission of other network messages. Unfortunately, attackers can also use ICMP to remotely...
2 tags
5 Favorite Security Reads of the Week
Here’s a listing of my 5 favorite on-line security articles, papers and blog posts that I read in the past week:
APT - The Plain Hard Truth by Greg Hoglund
Cultural CAPTCHAs by Brian Krebs
Five Reasons to Welcome Windows 8 AV, Five Reasons to Worry by Dave Piscitello
Unrealistic Security Expectations - Part 1 by Augusto Paes de Barros
An Open Letter To The Security Industry: We Live In...
2 tags
My Favorite Information Security Authors in the...
I’ve been documenting my favorite on-line information security reads on weekly basis. Curious to see which of the authors appeared in my “favorites” listings most often, I tallied up the results for the past year. Here is what the data shows…
I mentioned roughly 250 security papers and articles. There were roughly 165 authors in the data set; about 125 of them were...