Aggressive Virus Defense

The Anti-Virus Guy

November 8, 2009

I am in danger of pigeon-holing, type-casting myself as The Anti-Virus Guy.

If you have a highly mobile workforce, anti-virus software should be considered as an intrusion detection system.

Intrusion detection systems detect anomalies, typically restricting their focus to anomalous network activity. They detect anomalies; anomalies which may have been caused due to an intruder, although they rarely are. Intrusion detection systems rely upon a person to investigate and determine the appropriate action.

Anti-virus software detects malware, typically spyware or Trojan horse software. A virus (malicious code inserted in a host program) is rare. Anti-virus software has expanded its scope to include a broader range of software that you may not want running.

Learning where the detected malware came from helps you to block access to that location and helps you to learn what other programs arrived from that location. Treat malware detection alerts as suspicious activity to investigate and take appropriate action.

In a mobile workforce you cannot rely upon your network monitoring equipment to inform you about anomalous conditions. Your network-based intrusion detection system can scan internal network traffic including traffic on VPN connections. Other network traffic is outside its scope. Nonetheless, you can still gather information about anomalous events through your anti-virus software.

WinPcap, Wireshark upgrade message

November 4, 2009

When upgrading Wireshark, which implies an upgrade to WinPcap, a message appeared:

System Information
Operating system detected on registry: Windows vista - x86
True operating system (kernel.dll): Windows Vista - x86
npptools.dll present on the system:    false
netnm.inf present on the system:       false
nmnt.sys present on the system:        false

This message is normal.

npptools.dll, netnm.inf and nmnt.sys are components of Microsoft’s Network Monitor (netmon) utility. Netmon is a network traffic capture and protocol analysis utility, similar to Wireshark.

Leave a Comment » | Troubleshooting | Tagged: Troubleshooting | Permalink
Posted by rklanke

Framework

November 1, 2009

It is better to address the entire organization’s availability, confidentiality, integrity and authenticity (collectively: security) concerns than to test individual applications for security concerns. To that end, Microsoft offers a Security Assessment Tool, useful for even non-Microsoft environments.

CERT OCTAVE (Operationally Critical Threat, Asset, and Vulnerability Evaluation) is a suite of tools, techniques, and methods for risk-based information security strategic assessment and planning. Business Continuity Planning
Information Systems Security Assessment Framework (ISSAF) seeks to evaluate the organization’s information security policies & processes to report on their compliance with IT industry standards, and applicable laws and regulatory requirements
NIST SP 800-34 Contingency Planning Guide for Information Technology Systems (Business Continuity Planning)
NIST SP 800-115 Technical Guide to Information Security Testing and Assessment
NSA IAM National Security Agency InfoSec Assessment Methodology
Sherwood Applied Business Security Architecture (SABSA) SABSA: the What, Why, How, Who, Where and When and of Contextual, Conceptual, Logical, Physical, Component and Operational
Zachman International Zachman Architecture Framework: the What, How, When, Who, Where, and Why of Identification, Definition, Representation, Specification, Configuration and Instantiation
ITIL and ITSM World IT Infrastructure Library (ITIL) is a series of documents that are used to aid the implementation of a framework for IT Service Management (ITSM).
Microsoft Security Development Lifecycle Procedures for incorporating security into software development. Tools to support steps in the lifecycle as well.

1 Comment | Uncategorized | Tagged: security | Permalink
Posted by rklanke

Report SPAM

October 29, 2009

Send unsolicited commercial email (SPAM) to KnujOn and spam@uce.gov.

Leave a Comment » | Root Cause Investigation | Tagged: defense, security | Permalink
Posted by rklanke

Security Patch Management

October 18, 2009

When security patches are released, expect them to be reverse engineered. Expect an exploit to become available, if it isn’t already. That is, “is exploit code publicly available?” is not an important question. Act as if it is available.

“Is this vulnerability wormable?” is not an important question, either. Worms were dramatic and news worthy, but now worms are scarce. It makes very little sense to develop a worm; there’s no money in it.

You want to know if your mission critical systems are in jeopardy. Can your data be stolen or corrupted? Where is your data? What would be required to reach it? Any software vulnerability should be addressed quickly.

Plan for spikes in support. For example, you may not know how many patches Microsoft will release on the second Tuesday of the month but you know that patches will be released. Identify your mission critical applications. Assign a patch testing team for each mission critical application. Each patch testing team needs their own test script. On patch Tuesday, have each team install the patches and go through their test scripts to determine application impact. Set a deadline for a response; perhaps Friday of that week. Require a response, no compatibility issue found or compatibility issue exists. Follow your change control process.

For non-Microsoft patches, the notification process is less straightforward. Subscribe to the Secunia notifications to and any specific vendors you require. Encourage your vendors to adopt an announcement cycle. Don’t accept “when required” or “as needed” as responses. While they are caught by surprise when vulnerabilities are found, that unpredictability can be managed for their customers in all but the most troublesome of vulnerabilities.

Review your exposure, there’s some exposure but mitigation could be more expensive. Patch installation should never be your only mitigation measure, but it is always an important one.

Leave a Comment » | Network | Tagged: defense, security | Permalink
Posted by rklanke

Web Browser Forensics

October 7, 2009

What question were you trying to answer? Could be:

Where did this malicious software come from?
What web sites has this person been visisting?

What access do you have? Could be:

A single machine, and I have local access
Multiple machines, and I have remote access

Is this actually a Forensics examination, where you care about preserving evidence, or is this a root cause examination, where discovery (not legally admissible evidence) is the goal.

The answers affect the tool you choose and how you use it. For example, in a “concerned parent” scenario there is a single Windows machine using Internet Explorer, for which you have local access, and you want to learn the web sites visited. Use Mandiant Web Historian and inspect the C:\Users\<userid>\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat file. (A firewall log of successful web connections would be of more help.)

On the other hand, consider a large environment that investigates web-based malware alerts. Here the questions are: where was the threat encountered and what else arrived from that site or around that time. As part of the alert, you have the machine name and user id and the name of the malicious file.

Grab copies of the Index.dat files, saving them with names that make them distinguishable later. Use Pasco
(http://www.sourceforge.net/projects/fast) to make tab-separated text files from the dat files.

A batch file to make this task easier:

@echo off if (%2)==() goto ERR_SYNTAX copy "\\%1\C$\Users\%2\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat" "%1_%2_cache_index.dat" attrib -s -h "C:\Users\%2\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat" copy "\\%1\C$\Users\%2\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat" "%1_%2_history_index.dat" attrib +s +h "C:\Users\%2\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat" copy "C:\Users\%2\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat" "%1_%2_history_index.dat" pasco "%1_%2_cache_index.dat" > "%1_%2_cache_index.txt" pasco "%1_%2_history_index.dat" > "%1_%2_history_index.txt" GOTO EXIT :ERR_SYNTAX Error - requires two parameters, machine name (or IP address) and userid :EXIT
When loading the text separated text file into Excel, some columns won’t line up. Close enough for my purposes, though.

Note that this problem in Excel is because some of the original fields in the index.dat file contain tabs; using pasco to create a tab-separated text file when some fields contain tabs is problematic. If you wish to be consistent, fields rarely contain pipe characters; creating a pipe character-separated text file will produce a more consistently formatted Excel spreadsheet.

The questions again were: Where was the threat encountered and what else arrived from that site (or around that time).

Search the resulting text file for the detected malicious file. This turns up a lot of undetected malware. A malicious site rarely sticks to only one threat. A site typically hangs on to the older, already detected threats when breaking in a new, undetected threat. Get a sample of the new, undetected threat and submit it to vendors. You will also turn up a pattern of sites and ASNs. Report sites, blacklist sites, and the count of detected threats goes down.

Utilities:

Chrome Analysis Internet only, Google Chrome only utility
Firefox 3 web browser forensics Includes description of the SQLite database, how to use sqlite3 to view the database and a PERL script to generate a report from the database. No need for Windows.
Firefox 3 web browser forensics using f3e
Fox Analysis Internet only, Firefox 3 only utility
Mandiant Web Historian Internet only, Firefox and Internet Explorer utility
Pasco (part of the Forensic Analyst’s Software Toolkit) Internet Explorer only utility
SQLite Database Browser Public domain SQLite database browser, useful for Chrome and Firefox’s downloads.sqlite

Leave a Comment » | Root Cause Investigation, Web Security | Tagged: malware | Permalink
Posted by rklanke

Report Phishing

October 6, 2009

Report phishing by sending a saved copy of the email to

phishing-report@us-cert.gov
spam@uce.gov
reportphishing@antiphishing.org

See US-CERT’s Report Phishing, FTC’s Phishing and Anti-Phishing Working Group (APWG), respectively. A copy of the email is preferred to forwarding the email, since forwarding loses source information.

There is also PhishTank, although that seems to be oriented toward URLs (e.g., web advertising that collect personal information for redistribution) and not toward email threats.

Leave a Comment » | Network | Tagged: defense | Permalink
Posted by rklanke

October 2009 is National Cyber Security Awareness Month

October 1, 2009

From InfraGard:

October 2009 is National Cyber Security Awareness Month (NSCAM), which the FBI endorses and participates. The NSCAM event has been held every October since 2001, as a national awareness campaign to encourage everyone to protect their computers and our nation’s critical cyber infrastructure.

Cyber security requires vigilance 365 days per year. However, the Department of Homeland Security, the FBI, the National Cyber Security Alliance, and the Multi-State Information Sharing and Analysis Center, coordinate to shed a brighter light in October on what home users, schools, businesses and governments need to do in order to protect their computers, children, and data.

Ultimately, our cyber infrastructure is only as strong as the weakest link. No individuals, business, or government entity is solely responsible for cyber security. Everyone has a role and everyone needs to share the responsibility to secure their part of cyber space and the networks they use. The steps we take may differ based on what we do online and our responsibilities. However, everyone needs to understand how their individual actions have a collective impact on cyber security.

Please read the Awareness Month Fact Sheet, Awareness Month What Home Users Can Do Tip Sheet, and the Awareness Month CSAVE Fact Sheet.

You can read more by visiting STAYSAFEONLINE.ORG.

Thanks,

John “Chris” Dowd
Unit Chief
Public/Private Alliance Unit
Strategic Outreach and Initiative Section
Cyber Division

Leave a Comment » | Web Security | Tagged: Virus | Permalink
Posted by rklanke

Can You Trust That Web Site? (URL Shortener edition)

September 24, 2009

Regarding URL shorteners such as Bit.ly, is.gd, ow.ly and tinyurl.com, services designed to redirect to a different, typically longer, URL.

They are nearly mandatory when posting a URL via Twitter (or other microblogging site).
They can get your email dropped by a SPAM filter, since URL redirection (URL forwarding, URL obfuscation) is how malicious sites get past SPAM filters.
A URL shortener service takes links out of your control; many of the free URL shortener services have already shut down.

You want to know if you can trust that web site, and a meaningless link doesn’t help. Note that you should always treat any link you may see in an email or web page as meaningless; there is no reason to trust that what the link connects to the text displayed.

Instead of HpHosts as your first step (my advice from Can You Trust That Web Site?), go to vURL. vURL reveals and expands the redirected web site. You can learn what the obfuscated URL will lead you to (and examine the code) without directly connecting to the web site. Then learn if the revealed web site is trustworthy at HpHosts.

Leave a Comment » | Web Security | Tagged: defense | Permalink
Posted by rklanke

Can You Trust That File?

September 23, 2009

More importantly, can you trust that file’s source? Learning to suspect the source and being cautious (see Can You Trust That Web Site) is crucial.

Sometimes you want to confirm the source or authorship of a program, document, spreadsheet, or PDF file. Unfortunately, developers are not required to digitally sign executables (it is recommended, but not enforced). Confirmation of a certificate would help establish trust for a program. Similarly, persons rarely add digital signatures to documents, spreadsheets or PDF files. Again, this would help confirm its source. We don’t get the digital signature mechanism, so we need ways to make informed decisions (educated guesses) about whether programs and other files are trustworthy.

If you’re running anti-virus software, then you already have its opinion. You can be too careful, to point that it interferes with your responsibilities, but it is healthy to be suspicious.

Finding suspicious programs is covered in Simple Malware Discovery Measures.

Send the sample to your anti-virus vendor. They have the analysis procedures and expertise; you don’t. It doesn’t hurt to get a second opinion, though. I use VirusTotal to test a suspicious file against multiple anti-virus vendors. Expect some vendors to report that a file is malicious while others do not; this does not necessarily indicate that some vendors are more effective than others. For example, Sunbelt Software reports that FlashGet is a Trojan horse program because it contains support for the bittorrent protocol. This, like other peer-to-peer file sharing schemes, introduces a remote control mechanism. If you are unaware of this feature it can be used to compromise your system and Sunbelt appropriately warns you.

Alternatives to VirusTotal (test a suspicious files against multiple anti-virus vendors):

VirSCAN Submit suspicious file, up to 20 MB (even password protected ZIP or RAR files)

Anubis Iseclab Anubis is a service for detecting and analyzing web-based malware. It currently handles executable files as uploads and as URLs.

Information Technology Information Sharing and Analysis Center (IT-ISAC) Public section with best practices, news, references and a suspicious file submission vehicle. Private section for organizations

Offensive Computing Submit a suspicious file. Almost, news about real threats that mainstream media doesn’t cover.

ThreatExpert Submit a suspicious file.

UploadMalware Submit up to six suspicious files.

Sandbox utilities, analyze the program’s behavior for signs of maliciousness

InMAS CW-Sandbow Internet Malware Analysis System – submit W32 samples up to 16MB

Norman Sandbox Upload suspicious executable to be run and monitored for suspicious behavior (not just scanned). Archive files will not be unpacked, they are only scanned.

Sunbelt CWSandbox

Special purpose analysis sites

jsunpack jsunpack is a service for detecting and analyzing web-based malware. It currently handles Flash, JavaScript, and PDF files.

wepawet Wepawet is a service for detecting and analyzing web-based malware. It currently handles Flash, JavaScript, and PDF files.

Reverse engineering

Really? You want to spend your time on this? What are you trying to find?

VirSCAN and PEiD can be used to identify which packer, cryptor or compiler was used (if any). Then use an appropriate unpacker:

Ollydbg with the Ollydump plugin
IDAPro with the “Universal Unpacker”
Generic Unpacker Win32 by Christop Gabler
To be practical, use the latest PEiD and Google for the packer it finds along with the word “unpacker.”

Once unpacked and unencrypted, use strings (from Sysinternals). You may find a URL that the program connects to. When you encounter a suspicious URL, you have learned you cannot trust that file.

Leave a Comment » | Virus | Tagged: malware | Permalink
Posted by rklanke

About Me

Russ Klanke, CISSP
Seattle

Seeking employment (full time or consulting)

Finding solutions before there is a problem

Organizing Team Unemployed for the 2009 Jingle Bell Run and Walk For the Benefit Of the Arthritis Foundation
Terror Alert Level, Internet Traffic Report
Contents
Introduction
- Report Phishing
- Report SPAM
- Busy Firewall Administrators Note
- Blocking Torrent and Instant Messenger Traffic
- Security Patch Management
- Alternatives To Reimaging
- How To Disable Autorun.inf In Windows Vista
- The C-Level Virus
- Rant: Terminology, Semantics, Pedantic Rant
Pages
- General Education
Articles
- 2007 Security by the Numbers By Tracy Mayor on June 5th, 2007 in IT Security
- 2009 CWE/SANS Top 25 Most Dangerous Programming Errors the most significant programming errors that can lead to serious software vulnerabilities
- Advanced obfuscated JavaScript analysis by Daniel Wesemann
- Ben Edelman Adware, spyware, web browser malware research
- Black Hat USA 2009 presentations
- Common Internet Crime Schemes
- Computer Forensics Resources Collection of Great Forensics Links maintained by Global Digital Forensics
- ConfigureTerminal.com Cisco tips and other tips for network professionals
- Configuring IP Access Lists Cisco’s Guide To Access Control Lists (ACLs)
- CSO Online – Security and Risk News, tools, templates
- Digital Bond Supervisory Control And Data Acquisition (SCADA) security topics
- FAQ: What is the impact of e-discovery law on IT operations?
- Guide to Selected Privacy and Confidentiality Regulations Summarized list of regulations related to privacy
- Harlan Carvey's Windows Incident Response blog Author of “Windows Forensic Analysis”, now in its second edition
- How Does Secure Socket Layer (SSL or TLS) Work? Might be the most accessible answer to this popular question.
- How Google Analytics Works An accessible description, with examples.
- How To Build Cheap Cloud Storage 67 Terabytes for $ 7,867
- IETF Recommendations for the Remediation of Bots in ISP Networks (draft 03) Applicable for large corporations as well
- Information Security & Technology at MIT Policy resources and a look at a mature environmnet
- Insider Threat Research How CERT does insider threat research
- Iron Geek Rated “Dangerous” by Trend Micro
- IT Security Short articles on any topic. Not necessarily well-researched.
- Leaks Grow in World of Blogs Companies Search for New Ways to Stop Disclosures of Sensitive Information
- Microsoft Security Intelligence Report (SIR) The changing theat landscape, updated twice a year.
- mnin.org Michael Ligh Vulnerabilities, reverse engneering
- National Institute of Standards and Technology (NIST) Computer Security Resource Center Resources, important and useful publications
- NSS Labs Product evaluations (IDS, IPS, UTM, WAF) and methodology
- NTFS Disk Internals NTFS indices
- OSF DataLossDB Open Security Foundation collection of information about data losses
- Perl-Fu: Regexp log file processing Mike Worman on regular expressions, perl and information leakage detection
- Professional Security Testers Security testing
- Reality Check: Emerging Information Security Threats (Spring 2009) Video. Lenny Zeltser explores today’s emerging Internet security threats to help organizations fine-tune their defenses. Lenny examines attack patterns that have included the use of email as a gateway for fraud, the mighty power of network bots, the ferti
- SANS Internet Storm Center News
- Scientific Working Group on Digital Evidence (SWGDE) Forensic practices and research
- Security Engineering by Ross Anderson Wiley has agreed to make the 1st edition (2001) free, and selected chapters from the 2nd edition are also free
- Sophos Security Threat Report (July 2009) (PDF)
- SpywareGuide Greynets Blog
- Storage Area Network (SAN) Learning Guide LAN, WAN, MAN … SAN?
- The 5 Most Dangerous Security Myths Erik Larkin, PC World, 01/06/2009
- The 60 Minute Network Security Guide NSA UNCLASSIFIED I33-011R-2006 First Steps Towards a Secure Network Environment
- The Academy Pro How to videos (SourceFire, Nessus, Tenable, CheckPoint, Shavlik, Astaro …)
- Top Ten Database Security Threats Imperva whitepaper
- Understanding IP Addressing from 3Com, Everything You Ever Wanted To Know
- Washington Post: Network Solutions Hack Compromises 573,000 Credit, Debit Accounts
Awareness
- CfISA The Center for Information Security Awareness
- Infragard Awareness features the Certificate in Information Security Awareness in the Workplace
- Lessons learned from the Twitter account hack Why password policies exist.
- SecurityTube Videos related to security
Blogroll
- Bharath's Security Blog Collector of Fake AV (Rogue AV)
- Brad's Tech Tips
- Computer Forensic Blog Andreas Schuster
- Computer Forensics/E-Discovery Tips/Tricks and Information Mark McKinnon’s blog
- De-ICE.net Thomas Wilhelm
- DEFCON Links-O-Rama Something for all tastes
- Dynamoo's blog Current threat sources
- F-Secure blog
- hpHosts Blog
- Infosec Island
- Jesse Kornblum's blog Jesse Kornblum
- Kim Cameron's Identity Blog
- Matthieu Suiche’s blog Root cause research
- Microsoft's Script Center Powershell, VB Script, for example
- Oracle and Oracle Security Pete Finnigan
- Push the Red Button Brendan Dolan-Gavitt
- Security Uncorked Jennifer Jabbusch, CISO, Network Security Specialist, CAD, Inc.
- SpywareGuide blog
- Sunbelt Blog
- TaoSecurity Richard Bejtlich
- Threat Level Wired magazine blog
- U.S.-EU Safe Harbor Framework privacy requirements when U.S. organizations do business in the EU
- Using the New Microsoft Network Monitor (netmon) 3.3 with Network Experts Instead of Wireshark, if you would rather use Microsoft’s version.
- Verizon Business Security Blog
- Windows Incident Response Harlan Carvey
Compliance and Guidance
- American Recovery and Reinvestment Act (ARRA) of 2009 Expands HIPAA to protect patient health information.
- BreachPrep.org Not if, but when. An incident response plan and notification requirements.
- California Security Breach Information Act (CA-1386) Agencies, persons and businesses and their privacy obligations, with similar regulations in 44 states and the District of Columbia
- Children's Online Privacy Protection Act of 1998 Privacy, deceptive practices
- Control Objectives for Information and related Technology (COBIT) guidance materials for IT governance
- Electronic Signatures in Global and National Commerce Act 15 USC Chapter 96 Enforcability of electronic signatures, retention of records
- European Network and Information Security Agency (ENISA) Publications, including the CERT Exercises Handbook and Toolkit
- GovCert.NL the Computer Emergency Response Team for the Dutch Government, home of awareness products such as movies, our annual reviews, trend reports, Cyber Crime manual and “Cert in a box”.
- Gramm-Leach-Bliley Act (GLBA) AKA Financial Modernization Act of 1999; customer privacy protection, notification of privacy protection, management liability; employee training
- Health Insurance Portability and Accountability Act of 1996 (HIPAA) Kennedy-Kassebaum; privacy compliance, not just a health care issue
- Information Technology Information Sharing and Analysis Center (IT-ISAC) Public section with best practices, news, references and a suspicious file submission vehicle. Private section for organizations
- ISO 27001 Online Security Management Standard
- ISO 27001 Security Promotes and explains the ISO/IEC 27000-family of information security standards and provides resources.
- IT Infrastructure Threat Modeling Guide provides an easy-to-understand method for developing threat models that can help prioritize investments in IT infrastructure security. This guide describes and considers the extensive methodology that exists for Microsoft Security Development Lifecycle (S
- NIST 800-53 rev 2 Recommended Security Controls for Federal Information Systems
- NIST Computer Security Resource Center Guidance
- NIST CSRC FISMA Implementation Project National Institute of Standards and Technology (NIST) Computer Security Resource Center (CSRC) Federal Information Security Management Act (FISMA)
- NIST: An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule Introductory? A detailed risk management guide, using HIPAA to give the abstract subject some substance.
- Payment Card Industry (PCI) Data Security Standard (DSS)
- Payment Card Industry (PCI) Data Security Standards (DSS) See “Roadmap to PCI Compliance” for an implementation plan
- RCW 19.255 Revised Code of Washington (SB6043 2005), Personal information — notice of security breaches (businesses)
- RCW 42.56.590 Revised Code of Washington (SB6043 2005), Personal information — notice of security breaches (agencies)
- Role-Based Access Control (RBAC) and Sarbanes-Oxley Compliance
- Sarbanes-Oxley Act of 2002 (SOX) Fraud and accountability. Section 404: Audit internal controls.
- Security Content Automation Protocol (SCAP) SCAP is a specification established by NIST for expressing and manipulating security data in standardized ways.
- Society of Payment Security Professionals – Complaince Demystified Secure Payments, PCI DSS, Regulatory Compliance Blog
- Statement on Auditing Standards (SAS) 70 Compliance Resource Guide Internal Controls, compliance audit for assessing the internal control framework on service organizations that provide critical outsourcing activities for other entities.
- Truth To Power Compliance and guidance research and advisory community
- U.S.-EU Safe Harbor Framework privacy requirements when U.S. organizations do business in the EU
Current threat news
- AV-Test.org See their collection of LINKS Anti Virus, Anti Spyware, Personal Firewalls, Security Suites, Corporate Editions, Online-Scanner, Virus Infos, Virus Libraries, Security Blogs AND their Update Frequency of Anti-Virus Software (number of updates in the past
- Bad Mal Web Russian Business Network (RBN) where are they now?
- Banking Information Security News Need security breach horror stories? The ones everyone hears about?
- CERTStation News Threat Management Advisory (TMA) Summary of recent activity
- CircleID Breaking Internet News, Opinions and Blogs
- Cyber-TA (Threat Analytics)
- Dark Reading Information Week Business Journal
- Department of Homeland Security (DHS) Daily Open Source Infrastructure Report
- Department of Homeland Security News email or RSS
- DShield Mirror of ISC. ISC uses the DShield distributed intrusion detection system for data collection and analysis. Submit firewall logs here.
- Emerging Threats More real threats that mainstream media doesn’t cover, with SNORT signatures and firewall rules
- ExtremeTech News, 802.11 tips
- GNUCITIZEN
- HostExploit Current threat news
- Hosts News More real threats that mainstream media doesn’t cover
- hpHosts Malicious URL list
- Immunity CANVAS Early Updates You may not be able to afford their test tool, but you may wish to follow the exploits as they appear.
- Malware Advisor
- Malware Block List Collects links to malware
- Malware Domain List (MDL) WARNING: All domains on this website should be considered dangerous. If you do not know what you are doing here, it is recommended you leave right away. This website is a resource for security professionals and enthusiasts.
- Malware Patrol Malware Patrol is a free, automated and user contributed system for verifying URLs for the presence of Viruses, Trojans, Worms, or any other software considered Malware.
- Malware Web Threats More real threats that mainstream media doesn’t cover
- MalwareURL Malicious URL list
- NIST's CVE database
- Offensive Computing Submit a suspicious file AND more real threats that mainstream media doesn’t cover
- SANS Internet Storm Center (ISC) SANS
- Security Wizardry Computer Network Defence Operational Picture from Talisker Computer
- SecurityFocus Bugtraq mailing list
- Shadowserver Foundation Bot and botnet statistics and whitepapers, malware definitions,
- Spyware Sucks More real threats that mainstream media doesn’t cover
- Spyware Warrior
- SpywareGuide
- SRI Inc Malware Threat Center Most Aggressive Malware Attack Source and Filters, Most Effective Malware-Related Snort Signatures, Most Prolific BotNet Command and Control Servers and Filters, Most Observed Malware-Related DNS Names, Most Effective Antivirus Tools Against New Malware B
- Stop Badware
- sudosecure.net More real threats that mainstream media doesn’t cover
- Team Cymru Research NFP a specialized Internet security research firm and 501(c)3 non-profit dedicated to making the Internet more secure. By researching the ‘who’ and ‘why’ of malicious Internet activity worldwide, Team Cymru helps organizations identify and eradicate problems.
- TeMerc Internet Countermeasures Emerging Security Threats and News
- The H (formerly Heise Online UK) News, more Linux orientation than many
- Threatpost Kaspersky’s consolidated web threat news
- UnderForge of Lack More real threats that mainstream media doesn’t cover
- US-CERT
- Washington Post Security Fix column by Brian Krebs
Podcasts
- CyberSpeak Two former federal agents discussing computer forensics, cybercrime, and computer security.
- Forensic 4cast Lee Whitfield’s digital forensics podcast (also 4cast.whitfields.org)
- Forensics and Recovery podcasts Paul A. Henry, author of Information Security Management Handbook and other books
- GetMon Podcasts fro Cyber Security Professionals
- PaulDotCom Not introductory. Lots of insider-speak. An interview, then the news.
- Radio Free Security Watchguard
Promotions
- Microsoft retailers only Get rewards for learning marketing points
- VistaPrint 250 business cards, $5.67 shipped. 25% discount on custom printed products
- Windows 7 for $30 Students (with .edu address) Only
Root Cause Investigation
- 2008 SANS Computer Forensics and Incident Response Summit presentations
- Computer Forensics Resources Collection of Great Forensics Links maintained by Global Digital Forensics
- Computer Forensics/E-Discovery Tips/Tricks and Information Mark McKinnon’s blog
- CyberSpeak Two former federal agents discussing computer forensics, cybercrime, and computer security.
- E-Evidence Information Center Digital Forensics articles and links
- File Signatures Tim Coakley’s file signature database. Extend what ProDiscover detects.
- Forensic 4cast Lee Whitfield’s digital forensics podcast (also 4cast.whitfields.org)
- Forensics and Recovery, LLC Paul A. Henry, author of Information Security Management Handbook and other books
- Forensics Wiki Links to articles, tools, file analysis
- Mac OS X Forensics George Starcher
- Memory Parser (MMP) Tobias Klein
- Mirror: The Protocol Informatics Project Identify protocol fields in unknown or poorly documented network protocol formats – Marshall Beddoe
- Mobile Internal Acquisition Tool (MIAT) Symbian and Windows Mobile Forensics
- Scalpel data carving software Scalpel is a (free) fast file carver that reads a database of header and footer definitions and extracts matching files from a set of image files or raw device files. Scalpel is filesystem-independent and will carve files from FATx, NTFS, ext2/3, or raw p
- Scientific Working Group on Digital Evidence (SWGDE) Forensic practices and research
- Simple Carver Inexpensive ($ 95) data carving and file recovery software
- Sleuth Kit (TSK) & Autopsy: Digital Investigation Tools for Linux, Unix, and Windows TSK is a C library and a collection of command line tools (based on code from The Coroner’s Toolkit (TCT)). Autopsy is a graphical interface to TSK.
- Volatile Systems Blog AAron Walters
- Volatility: Volatile Memory Analysis Research AAron Walters
- Windows File Analyzer Analyze Thumbs.db, the Prefetch folder, shortcut files, Index.Dat files, Info2 (Recycle Bin) files
Subscriptions
- Forensic 4cast Lee Whitfield’s digital forensics podcast (also 4cast.whitfields.org)
- Information Security Magazine
- IT Security Short articles on any topic. Not necessarily well-researched.
- NextGov.com Technology and the Business of Government
- North American Network Operators Group (NANOG) Insider information about the state of the Internet (ISPs, outages, malware …), the actual news behind the broadcast news.
- US-CERT The United States Computer Emergency Readiness Team has a variety of mailing lists and news feeds.
Tools
- Adeona On hold. Free service to track stolen laptops.
- Avira Antivir Rescue System Rootkit hunter
- Blat A Win32 Command Line SMTP Mailer
- BotHunter IDS-ish botnet scanner from SRI International
- CAINE Live CD Computer Aided INvestigative Environment (CAINE) is a GNU/Linux live distribution created by Giancarlo Giustini as a project of Digital Forensics for Interdepartment Center for Research on Security (CRIS), supported by the University of Modena and Reggio
- DIFRwear RFID blocking wallets
- DTSearch Text Retrieval and Full Text Search, instantly search terabytes of text
- Flawfilder Scan source code for possible security weaknesses
- Forensic Acquisition Utilities by George M. Garner Jr., includes a Windows-based dd command that can dump memory
- FortiClient Endpoint Security Suite Standard edition, free Firewall / VPN security, Antivirus and Malware protection, Web Filtering, Endpoint Control and WAN Optimization
- Freeware utilities
- Gargoyle malware discovery across large file systems
- Gmer Rootkit hunter
- GNU Utilities for Win32 Including grep
- IceSword Detect keyloggers, rootkits
- IDA Pro Disassembler Reverse engineering utility, if you wish to analyze malware.
- Immunity debugger write exploits, analyze malware, and reverse engineer binary files
- KeePass Password Safe free, open source, light-weight and easy-to-use password manager for Windows. You can store your passwords in a highly-encrypted database, which is locked with one master password or key file.
- Lenny Zeltser Cheat Sheets nothing wrong with having these cheat sheets on hand at all times.
- log2timeline Root cause analysis. Review many Windows artifacts to construct a sequence of events
- Maltego Maltego collects publically available information about you, your company, your phone number, and many more.
- Malwarebytes' Anti-Malware Malware discovery
- Mandiant Red Curtain by Nick Harbour, search for suspicious files
- Microsoft Fiddler Fiddler is a Web Debugging Proxy which logs all HTTP(S) traffic between your computer and the Internet. Fiddler allows you to inspect all HTTP(S) traffic, set breakpoints, and “fiddle” with incoming or outgoing data. Fiddler includes a powerful event-base
- Microsoft Office enhancements Free from Microsoft
- Microsoft Security Essentials Antivirus
- Microsoft Windows SteadyState Microsoft utility to reset a shared access computer
- Microsoft Windows SysInternals PsExec, ProcessExplorer, Process Monitor, FileMon, DiskMon, RegMon, AutoRuns, and so forth
- Microsoft's free software Ultimate List of Free Windows Software from Microsoft
- Microsoft's Security Tools Part of Security TechCenter. Assess vulnerabilities and strengthen security with these tools and technologies.
- Microsoft's Solution Accelerators “IT Compliance Management Guide” “Security Compliance Management toolkit”, “Malware Removal Starter Kit: How to Combat Malware Using Windows PE”, “Windows Server 2008 Security Guide” (and Vista and XP Security Guides), for example
- Microsoft's Windows Server 2003 Resource Kit Tools a set of tools to help administrators streamline management tasks such as troubleshooting operating system issues, managing Active Directory®, configuring networking and security features, and automating application deployment.
- Nagios IT Infrastructure monitoring
- Nessus Nessus Vulnerability Scanner from Tenable Network Security
- Nick Harbour's tools and techniques Forensics software, reverse engineering tools, packers, presentations
- nmap ("Network Mapper") at insecure.org a free and open source utility for network exploration or security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring ho
- OllyDbg Debugger Reverse engineering utility, if you wish to analyze malware.
- Open Web Application Security Project improving the security of application software
- OpenDNS Trustworthy DNS servers and optional content filtering
- Prevx Prevx Edge rootkit hunter
- Quintessential Network Tools Page, The mobrien.com DNS, Routing, Calculators, Performance, Security
- Regex Coach Interactive tool for creating regular expressions
- Robtex Internet toolkit
- Scalpel data carving software Scalpel is a (free) fast file carver that reads a database of header and footer definitions and extracts matching files from a set of image files or raw device files. Scalpel is filesystem-independent and will carve files from FATx, NTFS, ext2/3, or raw p
- Script Decoder Decode JScript, ASP pages, VBScript obfuscated with Microsoft’s Windows Script Encoder (screnc.exe)
- Scuba by Imperva a free, lightweight java utility that scans (Oracle, IBM DB2, Microsoft SQL Server, and Sybase) databases for known vulnerabilities and configuration flaws
- Secunia PSI Inventories your system to determine if any software has security vulnerabilities with vendor patches. (free)
- Security xploded Tools and articles; IE, Firefox and Chrome password decrypters, ProcNetMonitor
- Simple Carver Inexpensive ($ 95) data carving and file recovery software
- SlavaSoft FSUM Hash (Message Digest) or Checksum calculator in a command line with wild cards and recursion (free)
- SlavaSoft HashCalc Hash (Message Digest), CRC, and HMAC calculator in a GUI (free)
- Sleuth Kit (TSK) & Autopsy: Digital Investigation Tools for Linux, Unix, and Windows TSK is a C library and a collection of command line tools (based on code from The Coroner’s Toolkit (TCT)). Autopsy is a graphical interface to TSK.
- Splunk Time-based log review. Consolidates logs from any product.
- Swatch Event log monitoring
- Tinc is a self-contained VPN solution
- Trend Micro System Information Collector (SIC) All-in-one “what’s suspicious about my system?” utility
- Ultimate Boot CD For Windows A bootable recovery CD that contains software used for repairing, restoring, or diagnosing computer problems.
- Windows Incident Response (IR) and Computer Forensics (CF) Tools Harlan Carvey
- WinHex: Computer Forensics & Data Recovery Software, Hex Editor & Disk Editor Easy file recovery from NTFS errors
- Wireshark (formerly Ethereal) Network Protcol Analyzer
- Xirrus WiFi Inspector Xirrus Wi-Fi Inspector and Xirrus Wi-Fi Monitor Gadgets/Widgets to troubleshoot 802.11 and detect rogue access points

About Me

Terror Alert Level, Internet Traffic Report

Contents

Pages

Articles

Awareness

Blogroll

Compliance and Guidance

Current threat news

Podcasts

Promotions

Root Cause Investigation

Subscriptions

Tools