Monday, November 17, 2008

USB 3.0 to Transfer 25GB in 70 Seconds

USB 3.0 will be unveiled soon, and so far the new specs for the protocol look incredible, promising 25GB transfers in a mere 70 seconds. To put that in perspective, the same transfer would take 13.9 minutes with the current USB 2.0 protocol and 9.3 hours on USB 1.0.

Friday, November 14, 2008

HITB Material Archive is Online

The presentation slides for Hack-in-The-Box security conference are online now.

Tuesday, November 11, 2008

Security Event Correlation

This is an excellent post from TaoSecurity about SEM or SIEM.

Defining Security Event Correlation

This my final post discussing security event correlation (SEC) for now. (When I say SEC I do not mean the Simple Event Correlator [SEC] tool.)

Previously I looked at some history regarding SEC, showing that the ways people thought about SEC really lacked rigor. Before describing my definition of SEC, I'd like to state what I think SEC is not.

So, in my opinion -- you may disagree -- SEC is not:
  1. Collection (of data sources): Simply putting all of your log sources in a central location is not correlation.
  2. Normalization (of data sources): Converting your log sources into a common format, while perhaps necessary for correlation (according to some), is not correlation.
  3. Prioritization (of events): Deciding what events you most care about is not correlation.
  4. Suppression (via thresholding): Deciding not to see certain events is not correlation.
  5. Accumulation (via simple incrementing counters: Some people consider a report that one has 100 messages of the same type to be correlation. If that is really correlation I think your standards are too low. Counting is not correlation.
  6. Centralization (of policies): Applying a single policy to multiple messages, while useful, is not correlation itself.
  7. Summarization (via reports): Generating a report -- again helpful -- by itself is not correlation. It's counting and sorting.
  8. Administration (of software): Configuring systems is definitely not correlation.
  9. Delegation (of tasks): Telling someone to take action based on the above data is not correlation.

So what is correlation? In my last post I cited Greg Shipley, who said if the engine sees A and also sees B or C, then it will go do X. That seems closer to what I consider security event correlation. SEC has a content component (what happened) and a temporal component (when did it happen). Using those two elements you can accomplish what Greg says.

I'd like to offer the following definition, while being open to other ideas:

Security event correlation is the process of applying criteria to data inputs, generally of a conditional ("if-then") nature, in order to generate actionable data outputs.

So what about the nine elements are listed? They all seem important. Sure, but they are not correlation. They are functions of a Security Information and Event Management (SIEM) program, with correlation as one component. So, add correlation as item 10, and I think those 10 elements encompass SIEM well. This point is crucial:

SIEM is an operation, not a tool.

You can buy a SIEM tool but you can't buy a SIEM operation. You have to build a SIEM operation, and you may (or may not) use a SIEM to assist you.

Wait, didn't Raffy say SIM is dead? I'll try to respond to that soon. For now let me say that the guiding principle for my own operation is the following:

Not just more data; the right data -- fast, flexible, and functional.

Thursday, November 06, 2008

SQLmap - Automatic SQL Injection Tool

sqlmap is an automatic SQL injection tool developed in Python. Its goal is to detect and take advantage of SQL injection vulnerabilities on web applications.

Once it detects one or more SQL injections on the target host, the user can choose among a variety of options to perform an extensive back-end database management system fingerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges, databases, dump entire or user’s specific DBMS tables/columns, run his own SQL SELECT statement, read specific files on the file system and much more.

Wednesday, November 05, 2008


Grendel-Scan is an open-source web application security testing tool. It has automated testing module for detecting common web application vulnerabilities, and features geared at aiding manual penetration tests.

The only system requirement is Java 5.

Tracking Gimmiv

There is an interesting post from research Joe Stewart's research.

This is a tracking of a 0-day exploit which targetting an out-of-band Microsoft patch (MS08-067). This is a patch against a flaw in Windows RPC code.

Because of some mistakes made by the author(s) of Gimmiv worm, 3rd parties were able to download the logfiles of the Gimmiv control server. Even most of the data in the logs is AES-encrypted, the key hardcoded in the Gimmiv binary was recovered for decrypting the data.

From the decrypted log file into KML format, the result shows that:
  • Only around 200 computers were infected since the time Gimmiv was actively deployed on September 29, 2008.
  • Only 23 countries had infected users, and Southeast Asia appeared to have the greatest number of infections. Two networks in Malaysia had the most infections.
  • While Malaysia was the hardest hit, it appears that the “in-the-wild” spread of Gimmiv may have started in Vietnam on September 29.
  • The log shows that Gimmiv appeared first on August 20, 2008.

The Gimmiv's author is probably from South Korea, because:
  • A zip file left behind on one of the control servers contained Korean characters in the compressed folder name.
  • One of IP addresses, located in Korea, was running Gimmiv in a VMware virtual machine (could be someone testing a piece of malicious mobile code to do).

Tuesday, November 04, 2008

Inside Uninformed Vol 10

This paper analyzes three vulnerabilities that were found in win32k.sys that allow kernel-mode code execution. The win32k.sys driver is a major component of the GUI subsystem in the Windows operating system. These vulnerabilities have been reported by the author and patched in MS08-025.

The first vulnerability is a kernel pool overflow with an old communication mechanism called the Dynamic Data Exchange (DDE) protocol. The second vulnerability involves improper use of the ProbeForWrite function within string management functions. The third vulnerability concerns how win32k handles system menu functions. Their discovery and exploitation are covered.
This paper illustrates how IPv6-enabled systems with link-local and auto-configured addresses can be compromised using existing security tools. While most of the techniques described can apply to "real" IPv6 networks, the focus of this paper is to target IPv6-enabled systems on the local network.

Monday, November 03, 2008


lm2ntcrack provides a simple way to crack instantly Microsoft Windows NT Hash (MD4) when the LM Password is known.

lm2ntcrack is Free and Open Source software. This sofware is entirely written in Perl, so its easily ported and installed.

* lm2ntcrack must be used with the password cracker John the Ripper.


WebSlayer is a tool designed for bruteforcing Web Applications, it can be used for finding not linked resources (directories, servlets, scripts, etc), bruteforce GET and POST parameters, bruteforce Forms parameters (User/Password), Fuzzing, etc. The tools has a payload generator and a easy and powerful results analyzer.

You can perform attacks like:
  • Predictable resource locator, recursion supported
  • Login forms bruteforce
  • Session bruteforce
  • Parameter bruteforce
  • Parameter fuzzing and injection (XSS, SQL)
  • Basic and Ntml authentication bruteforcing

Saturday, November 01, 2008

Microsoft IT Compliance Management Guide

This is a new solution accelerator publichsed by Microsoft to help shifting IT governance, risk, and compliance (GRC) efforts from people to technology. It aims to help IT people to understand better on how to address GRC with an IT management framework implemented.

Click here for the IT Compliance Management Guide.

Published: October 29, 2008

About This Solution Accelerator

The IT Compliance Management Guide can help you shift your governance, risk, and compliance (GRC) efforts from people to technology. This Accelerator helps you better understand how an IT management framework can help you implement controls to address GRC requirements that apply to your organization. In addition, you can use its configuration guidance to help efficiently address your organization's GRC objectives.


The IT Compliance Management Guide is a Microsoft Operations Framework (MOF) 4.0 companion guide that is based on the Regulatory Compliance Planning Guide. It addresses GRC authority document requirements.

The IT Compliance Management Resources workbook provides an extensive inventory of GRC–related configuration and management guidance organized by Microsoft products.

"This guide contains the information that will enable IT professionals to have an informed discussion with their GRC subject matter experts, including legal and audit personnel. The overview of the audit process and descriptions of general GRC terminology and control concepts will allow IT professionals to be an active participant in these discussions. The associated workbook provides a comprehensive list of Microsoft resources that address GRC planning and product configuration topics relevant to IT professionals.