July 2009 Archives

Kelly over at DarkReading wrote an article about the results of a career survey initiated last year. It reveals that over 50% of the information security professionals are not satisfied with their current jobs. And no, salary is not the main issue, it is not even in the top 3! Most of these unhappy people complain about their career advancement possibilities, about the fact that the job is not challenging enough, or that there is no opportunity for creative thinking. Want to know more? Read Kelly's article, or visit Kushner and Murray during their workshop at Defcon.

Always wanted a decent shell in Windows, but don't feel like learning to use PowerShell? Use Ubuntu Portable! It runs Ubuntu as if it were a Windows application, allowing you to use any Linux applications you want just like that.

Don from the Security Ripcord blog posted about an experience he had with Symantec and Microsoft. He had found malware hidden in the windows registry of one of his clients, and the vendors would not believe it and actually stated that what he says is 'not possible'. A nice writeup from Sophos, however, indicates it IS in fact possible to hide malware in the registry!

Reminds me of my attempt to try convince HP that 3 printers at one of our customer's premises connected to malicious domains. Also 'not possible' ;)

Jack Goldsmith (New York Times) pleads for a government regulation of computer security. I do agree with him that some regulations should be implemented, also in Europe. We already have laws saying that if you don't lock the doors of your house or your car door, you're responsible for the consequences. But not every computer or network breach can be avoided by regulations, and users can't always be kept responsible. For example, one can't expect from the everyday user to protect himself from zero-days. I would however regulate the fact that users should have at least a firewall and anti-virus, and that signatures should be updated on a regular basis. Then if a user would for example be victim of a zero-day, and his computer is used for larger attacks, at least he can say "I had signature version such-and-such", and it can be deducted that his anti-virus did not yet protect against this threat at that specific time or date. I think at least a user should have an up-to-date anti-virus and firewall, and if they don't they can be kept responsible.

Peter Silberman and Steve Davis (both from Mandiant) found a method to discover the use of Metaspl0it's Meterpreter and how to construct the session, uncovering the attacker's tracks. They will present their findings at Black Hat this summer.

" During this talk we discuss accessing physical memory for the purpose of acquiring a specific processes’ address space. Process address space acquisition includes DLLs, EXEs, stacks and heaps. This includes memory resident modules. We describe in detail how meterpeter operates in memory and specifically how memory looks when meterpreter scripts/commands are executed and the residue these scripts create in the exploited processes’ memory space. Finally, we tie all this knowledge together and discuss how to reconstruct a meterpreter session – completely from memory – and determine what the attacker was doing on the exploited machine. "

Sir John Sawers, the new head (as of November 2009) of British Secret Intelligence Service (better known as MI6), is currently experiencing first hand the possible negative consequences of social networking. His wife posted personal pictures and address information on Facebook without protecting her profile. An investigation is ongoing to verify if Sawers can still assume his new function, as there is fear for the security of his family and friends after this information was leaked.

Source: ZDNet

For all of us security adepts out there blaming it all on 'the user', David Lacey wrote a book recently about managing our layer 8 problems!