The ISC handler's diaries for the last, few, days have had pointers to various places for finding out which processes on a windows box are good and which are malware. Here is a summary:
Third Party
Microsoft
Third Party
Microsoft
I just read Susan Bradley's post asking why we don't use a program hashes to only allow desktop's to run certain binaries. This got me thinking about my friend and lab mate Yusuf's project, "Kernel-based Cryptographic Pre-execution Validation of
ELF Object Code". His project looks to be very promising and a hugely usefull tool for any organisation running *nix boxes. Imagine only letting binaries that have been signed by the IT dept run. He is still in the early stages but making good progress. As an extension it would probally be fairly trivial to do what Susan is asking and only allow binaries with certain hashes run. I will ask him.
Dana Epp has a write up of her first day at the SecureWorld conference in Seattle. The bit that interested me was: "The panels on patch management and vulnerability assessment were
boring. When everyone agrees and is doing vendor plugs... you do
nothing to have an intelligent conversation on the subjects".
Continue reading "Patch Management @ SecureWorld conference"
Well according to Tejas Patel they are, and he's normally very pro-Microsoft.
Also have a look at my shiny new Firefox box on the right. If you are using Internet Explorer, now is the time to switch.
UPDATE: Thanks to Tejas for some dilligent trackback checking it has been pointed out that he was referring to Microsoft developers and not Microsoft employees. Sorry Tejas.
Also have a look at my shiny new Firefox box on the right. If you are using Internet Explorer, now is the time to switch.
UPDATE: Thanks to Tejas for some dilligent trackback checking it has been pointed out that he was referring to Microsoft developers and not Microsoft employees. Sorry Tejas.
According to Burak Dayioglu there is a a site distributing some pretty recent PoC exploit code named milw0rm. It's also has an RSS feed which I have since added to bloglines.
It is also a good idea to keep an eye on packetstorm's feed and k-otik's.
It is also a good idea to keep an eye on packetstorm's feed and k-otik's.
As a follow up to Dana Epp's post and my earlier post I have started work on a Code of Ethics for SNRG (Security and Networks Research Group, pronounced synergy).
Continue reading "Code of Ethics"
Joat has a nice rant about why firewalls are not proxies no matter how much they hype the "deep packet inspection". What I liked the most was his rule of thumb for opening ports (snipped):
- disallow the protocol
- if you can't disallow it, proxy it (Layer 7) with a dedicated proxy to control the protocol's options and heavily log the protocol's use (who, what, where, when, how long)
- if you can't do that, proxy it (Layer 7) with a generic proxy to limit the source/destination IP's and the directions that the requests can be made and log as much as possible
- if you can't do that, reconsider disallowing the protocol
- if you can't do that, consider using a many-to-one NAT box (yeah, a LinkSys box) and log as much as possible
- if you can't do that, reconsider disallowing the protocol
- if you can't do that, (as a last resort) use a packet filter (Layer 3/4) to limit source/destination IPs/ports and log as much as possible
I have been chosen to be part of the Spread Firefox, College rep team. Blake of the existing sfx team has organised this. We had our first online meeting today over IRC.
Continue reading "Spread Firefox College Team"
Some more developments from M$'s last few patches and a bunch of vulnerabilities for almost every browser. The ISC summary puts it well:
"If you are reading this diary with any web browser other then 'lynx' or 'wget', you are likely vulnerable to one of the issues released today. The first issue covers all browsers that support tabbed browsing (Firefox, Netscape, Opera, Konqueror...). The second issue is only of interest to Microsoft Internet Explorer users."
"If you are reading this diary with any web browser other then 'lynx' or 'wget', you are likely vulnerable to one of the issues released today. The first issue covers all browsers that support tabbed browsing (Firefox, Netscape, Opera, Konqueror...). The second issue is only of interest to Microsoft Internet Explorer users."
Continue reading "All Browsers Vulnerability"
I have had viral tonsilitis for the last four days. This has resulted in me being either delerious with fever, too weak to move or completely restless and in pain. It seems to be mostly gone now but I still have a rather thick looking neck (it's gym, I promise). Life should be back to normal now.
I am officially finished with the SRC. I still have a final report to write but the rest of my duties are finally finished.
Continue reading "The End"
Oxo pointed out a nifty program called xplanet to me. It displays a part of the solar system accurate to the current time. It includes correct shading depending on the placing of the sun, and the ability to add color maps.
Continue reading "Xplanet"
Continue reading "Nostalgia"
I have been using the Microsoft Virtual Server 2005, Evaluation Kit for the last few days and I am quite impressed.
Continue reading "Microsoft Virtual Server 2005"