Events

Being Pro-Active Against the "0-Day" Threat

by Paul Asadoorian
January 21, 2010

Recent investigations into the Google "Aurora" incident uncovered evidence that Chinese attackers used a 0-day exploit for Internet Explorer to gain access to Google employees’ computer systems. This event has sparked the release of Microsoft Security Bulletin MS10-002 - Critical , and a public exploit for the vulnerability. To mitigate this vulnerability, Microsoft originally recommended that customers upgrade to Internet Explorer 8, and enable DEP (Data Execution Prevention). On January 21, 2010 Microsoft released an "out-of-band" patch for the vulnerability, which fixes the problem on Internet Explorer version 6, 7 and 8. Methods exist to reliably exploit Internet Explorer versions 6 & 7, and there are several people who have working exploits for IE version 8, including Dino Dai Zovi, a well-respected vulnerability researcher. (A concise list of the details surrounding this issue can be found in this article).

Being Proactive

Many organizations are likely to implement the patch released by Microsoft since the issue has been receiving a lot of media attention. Patching because of a media event is an all-too-common mistake made by many organizations that cannot be convinced to implement new security measures until exploits make the news. Patching systems needs to be part of an organization’s overall strategy – not just a reaction to a media event. When new technologies become available as upgrades to your existing systems, put a plan in place to test and migrate to them, especially if they offer increased security. The organizations doing this today are looking at the latest exploit and implementing their patch strategy as part of the standard operating procedure.

Marcus Ranum Presents "Internet Nails" at TED

by Paul Asadoorian
November 11, 2009

Marcus presents an awesome story about the Internet, software, and security. Watch as he goes into detail on how protocols work, problems with FTP, HTTP, and much more! The purpose was to show how small mistakes made in the design of software and the Internet have shaped the security industry. You can watch the full version of the talk below:

Cyberdawn - A Diverse Cyber Exercise - Part II

by Paul Asadoorian
October 9, 2009

Passwords are just so easy to abuse...

It was interesting to see that the top scorer in the game (who went by the handle of "ftp", and coincidentally had 21 scores in the first day of game play!) did not use fancy new exploits, 0day attacks or a wide range of open-source or even commercial tools. He was able to gain access to systems because the teams left default or easily guessable passwords set on some of the Linux servers. He used SSH to login to the systems, then SCP to upload some Python code, that was used to update the scoring engine. From there he was able to maintain access, not by rootkit technology or anything sophisticated, but just hiding in plain sight. The Python script makes a TCP connection to the scoring server and sends a message. It was moved into a file called "/dev/vfat", to make it look like a system file. Next, a shell script was written to call the python script every ten minutes. This file was called "getty" and ran in the background, and was also inserted into the startup scripts to ensure it kept running. The teams never found these processes running and "ftp" won the game, no exploits required.



hackeratwork.png
Hacker "ftp" at work, winning the game using built-in tools such as bash, python and SSH.

Cyberdawn - A Diverse Cyber Exercise - Part I

by Paul Asadoorian
October 7, 2009

Cyber Exercise

Over this past weekend I attended Cyberdawn, a cyber exercise that was hosted by Battlefield High School in Haymarket, Virginia.

Sidebar: What is a Cyber Exercise?
“A cyber exercise is a live computer network attack and defense event. A typical exercise runs at least one day for a small team and up to five days for large organizations or multiple teams. Teams generally fall into two categories: attackers (Red Team) and defenders (Blue Team). Defenders are scored on their ability to keep their IT systems up and functional in support of their business processes. Attackers are scored on their ability to disrupt business operations.”
See http://www.whitewolfsecurity.com for more information.

Risky Business 119 - Featuring Paul Asadoorian

by Paul Asadoorian
August 17, 2009

Last week I made an appearance on epispde 119 of the Risky Business podcast with Patrick Gray. I spoke with Patrick about training and certification, specifically how it applies to the Information Security field and its importance in your career development.

Webinar - Control System Auditing with Nessus

by Ron Gula
May 14, 2009

Tenable CEO, Ron Gula will interview Digital Bond Researcher Jason Holcomb about project Bandolier. Bandolier is a project funded by the Department of Energy which focuses on securing a wide variety of SCADA and Control System applications through configuration hardening. The project has produced several configuration auditing polices for Nessus ProfessionalFeed and Security Center users. Mr.

"Winning at the Compliance Game" Webinar, Feb 3

by Ron Gula
January 28, 2009

Will 2009 bring newer and more comprehensive versions of regulations such as PCI or FDCC? Is your organization already positioned to leverage the benefits of configuration management and transparent audit of IT resources?

With a focus on configuration and vulnerability management for enterprise networks, Tenable CTO Ron Gula, will discuss the latest trends in compliance standards, strategies for a positive audit experience and how this process can lower your organization's operational costs and maximize availability.

Title: "Winning at the Compliance Game"

Pages