Last weekend I delivered a presentation in a new graphic way and I must say I got very good feedback. Here it is :

How to prevent another SONY PS3 Attack

In my new job I encounter all sort of issues concerning ArcSight products and I was thinking to post my tips and observations here .

Tip #1 – careful what address you set as ArcSight Manager sender.
So, today's tip is about managersetup command. After you've set the notification details for the Whine daemon, the config script tests the outgoing email setup. All ok except the fact that this script will send a test email to the same email address set as notification sender and it will ignore all destination addresses you've set. I have the SMTP pcap capture to prove it.

I just received my CISSP exam results and I passed!  Best Christmas present I could get !

Since WikiLeaks started their epic disclosure, I have witnessed a lot of new stuff being shaped under our own eyes : socially, technically and nevertheless politically.

Since I'm more of a technical guy, I have seen more DDOS countermeasures than in any "peace-time" projects and today, actually right now I'm watching a live attack on www.visa.com called Operation:Payback .

It's like watching live TV on an ongoing natural disaster, only it's man made and it gives me the creeps. Or like seeing the movie V for Vendetta happening live.

In the current DDOS attack on www.visa.com there might be obscure interests and classic botnets involved, but what strikes me is the first ever voluntary botnet made of thousands of home user computers running a bot which is controlled via IRC channels by the attackers.

If you want to get involved, the attackers have presented detailed instructions on how to turn our PC into a voluntary-bot. This is a very scary phenomenon if you think of the combined broadband access available to the current US home computer which is online most of the time.

The result can be seen live on attacker's twitter page

If the twitter account is closed, here's a live screenshot :

Call me old fashioned but I think something is not right …  distributed computing started with seti@home and cancer research and now  ended up on cyber -warfare . maybe this is what we know to do best.

I love and support freedom of speech but I don't support cyber-vandalism, no matter which is the cause it fights for. There has to be a better way ..

Short post .. After more than 5 years of virus free-happy windows-system I got infected by Malware Destructor 2011 Virus … In 5 minutes I had no computer anymore.

I could not believe this is happening to me but it did.. so I'm in the process of re-installing everything. Mad as hell…

beware of this nasty virus : Malware Destructor 2011 Virus . Very good writeup here :

http://www.articlesbase.com/security-articles/is-malware-destructor-2011-installed-via-automatic-updates-system-security-pack-upgrade-legit-get-rid-malware-destructor-2011-virus-3260021.html

that's life..

The Annualized Loss Expectancy (ALE) is the product of the annual rate of occurrence (ARO) and the single loss expectancy. It is mathematically expressed as:

Annualized Loss Expectancy (ALE) = Annual Rate of Occurrence (ARO) X Single Loss Expectancy (SLE) (wikipedia)

Yes, we all know that famous formula which is used in every Risk Management project. But how accurate is the estimation of the Single Loss Expectancy (SLE)?

If we speak about downtime, the impact on business processes varies for each company and for each process. One thing is for sure though: if you provide IT services, better deliver an uptime around 99.x% or have a very flexible and loose SLA with your customers.

You know that uptime is many times a decisive factor in customer retention and in acquiring new business. But what is your actual loss caused by downtime ? I bet you asked this question many times and maybe you even started to draw some complicated math equations.

That's one way to do it, if you have time and energy to spend. Another way to do a proper Downtime Cost Simulation is to use the brainpower of computers like I did.

I just discovered the Downtime Cost Calculator developed by Storagepipe.com and I must say it does exactly what it's name says.

You can test it in the widget below (go on, press the PANIC button)

By using a complex math formula it allows you to see instantly how your dollars are flying out the window in case of a downtime.

The lost sales revenue is coupled with the lost productivity so you can instantly get a glimpse of the total accumulated cost as well as predicted hourly loss.

It's like a stopwatch for the bleeding money so it should raise an alarm about the potential impact of a downtime. Fixing the IT systems and processes is a different story and there are no automated tools to do that in the real world. It takes time and effort or you can outsource this task to Storagepipe, the creators of the Downtime Cost Calculator.

Storagepipe is a company focused on corporate data protection solutions including online backup and recovery, electronic archiving and business continuity. They can assist you trough the whole Risk Assessment process in order to identify and classify data which really matters for your company.

Offiste backup and recovery services will provide you the peace of mind about corporate data because, as we know the risk can be mitigated, accepted or transferred . Transferring seems a good option in this case.

With this post, I make another step into blogging by publishing a guest post written by the kind folks at GFI Software, a great security vendor and friends. Here it goes :

Securing Your Network from Web Threats

There is a price to pay for everything – while the Internet has proven to be an indispensable communication, research and promotional tool for most organizations, with it come a series of web threats and security risks.

What are the risks involved?

Studies have shown that a good amount of employee daily Internet activity is spent on non work-related sites. Morse PLC, for example, reported that 57% of office workers use social networking sites for an average of 40 minutes a day. Moreover Nielsen research revealed that the greatest number of Internet videos watched was on weekdays between 12.00pm and 2.00pm, meaning when most people were at work.

This not only reflects one of the primary side effects of employee Internet use, cyberslacking, which results in lost productivity, but it also indicates that the corporate network is exposed to a series of web threats throughout the day. Harmless-looking websites could be hosting malware and, as a result, if an employee carelessly accesses such sites or downloads files from them, the network is then exposed to a series of security risks. Google Advisory, for example, has shown that frequently visited social networking sites, such as Facebook and Twitter, are regular victims of malware (read more).

Once a company network is infected with malware or spyware, depending on the damage caused, the business experiences a series of negative repercussions which can interrupt, or even halt, its daily operations. Furthermore, in certain cases data could also be compromised or stolen, meaning the company could also end up facing serious legal charges.

What should be done?

Enforcing web security is therefore essential for organizations to protect their systems from web threats. The first step an organization should take is to set an Internet usage policy with clear guidelines as to what type of web use is considered acceptable, while also informing employees that their Internet usage is being controlled.  Controlling employee Internet usage is possible using web monitoring software; the knowledge that their web activities are being monitored encourages employees to curb their non work-related browsing; this in turn – decreases the possibility of accessing dangerous sites.

The next, and most important, step is to make use of a solid web filtering solution which offers protection to the corporate network by checking downloads for malicious payloads and quarantining or deleting infected files. The chosen web filtering solution should also offer the ability to examine websites and scan for hidden files or scripts that are covertly downloaded when the user opens a link to that particular page.

The Way Forward

Businesses need to understand the concept that prevention is better than cure – the savings made in worker productivity, IT labor, and bandwidth – not to mention the cost of defending the organization in court – not only compensate for the investment in a web monitoring and filtering solution but also provides ongoing value.

This guest post was provided by Christina Goggi on behalf of GFI Software Ltd. GFI is a leading software developer that provides a single source for network administrators to address their network security, content security and messaging needs. More information: GFI internet monitoring software.

All product and company names herein may be trademarks of their respective owners.

• Qualys BrowserCheck – nice client side security check tool http://bit.ly/ccAqMN #
• McAfee Risk Management; What threat data if they deploy only vulnerability managers and one correlation engine ? http://bit.ly/bWWGxD #
• New @NetWitness Visualize : Welcome To The Future! http://bit.ly/8XvbnX #
• FireEye and Solera Networks Partner to Provide In-depth Security Analytics for Proactive Cyber Attack Mitigation http://bit.ly/bAljDO #

Powered by Twitter Tools

I have already written about how awesome NetWitness is so I won't repeat what i said in this NetWitness review ; instead I would like to present you the most advanced network traffic visualization system I've ever seen, the NetWitness Visualize.

Imagine you need to file a report on all confidential PDF files which passed trough the network  between 1am and 3am on a Saturday morning. On a multi Gigabyte wire. And you only have one hour to file your report. What a nightmare!

Sorting trough terrabytes of data it is a daunting task to say the least and no matter what file carving tool you use, you still end up with hundreds of PDF files which have to be analyzed by hand.

Now, imagine you can swipe your fingers trough 1:1 renderization of all PDFs which were recorded between 1am and 3am just like Tom Cruise did in Minority Report movie. How cool is that.. in seconds you are able to spot classified watermarked blueprints and other juicy corporate documents.

NetWitness Visualize got it right about human perception of information. It will take a while until we, as humans will be able to read binary (remember Neo in Matrix, the movie?) and until then we need to examine the data reconstructed so that it reflects back  the reality captured in those zero and ones.

And even though I gave a visual example with the PDFs, the same applies to audio data as well. Wouldn't it be cool to be able to instantly listen to each VoIP conversation which was recorded during a 24hrs surveillance ops?  Again, NetWitness Visualize makes this real, only one click away. 

If you want to check for yourselves, there is a live demo of NetWitness Visualize on this website but I strongly recommend you to watch this short YouTube video first .

And, for a good laugh, try to listen to an easter-egg burried as a phone call conversation between the french president Nikolas Sarkozy and Sarah Palin. Sarkozy is singing about Joe the plumber which he takes for Palin's husband and that is priceless.

• fuzzdb : Attack and Discovery Pattern Database for Application Fuzz Testing http://bit.ly/aoerjm #
• Symantec Positioned as a Leader in Three Recent Magic Quadrants – Secure Email GW, SIEM and DLP http://bit.ly/aRrysP #
• Amazing new product by @imperva : File Security – Audit file rights and file access http://bit.ly/an1n72 #
• "GFI Software Acquires Sunbelt Software" ( http://bit.ly/c0mYdR ) #

Powered by Twitter Tools

• Angry researchers disclose Windows zero-day bug http://shar.es/mUibS #
• Google confirms attack on YouTube http://shar.es/mUigF #
• Antivirus Marketshare June 2010 Report — OESIS OK ( http://bit.ly/biB7AA ) #

Powered by Twitter Tools

• I always find inspiration and motivation reading biographies of successful people: @Qualys CEO Philippe Courtot http://bit.ly/9CmbVK #
• "Fidelis Security Systems Integrates Cyber Intelligence from Cyveillance to Provide Advanced Situational Awareness" ( http://bit.ly/9ywqt6 ) #
• nwmap v0.1 Released – Map Network From PCAP File ( http://bit.ly/9BNFEe ) #

Powered by Twitter Tools

I've just read today about the natural integration between Qualys and Imperva, two of the  vendors that I work with and I highly appreciate.

Timing is great for Imperva because the proactive services offered by Imperva's Discovery and Assessment Server had no real correspondence in web application world and that's why QualysGuard Web Application vulnerability scanner fits like a glove.

To put it in their words,

The integration of QualysGuard Web Application vulnerability scanner and Imperva’s SecureSphere Web Application Firewall (WAF) significantly reduces the need for disruptive patching of vulnerabilities. Organizations can use QualysGuard to scan their Web applications for vulnerabilities and then import the scan results into SecureSphere WAF. SecureSphere WAF provides instant mitigation for imported vulnerabilities using a “virtual patch,” which limits the window of exposure and reduces the security risk on the business.

On the other hand QualysGuard gets a couple of benefits suchs as :
- World wide recognition for it's new Web Application Scanner which is the latest addition to the QualysGuard scanner family .

- Sales support from Imperva's Channel . I know I will present this combination (Qualys and Imperva) to all my Imperva customers, whenever possible because I believe I's an effective web application security solution

Here is a short whitepaper (pdf) on this topic.

• RT @ArcSight "Entrepreneur of the Year" – Hugh Njemanze, ARST CTO & VP of R&D – new post from blogger Lisa Kost | http://bit.ly/9JKCWf #
• "Pro CERT – First Romanian Commercial CERT | Dragos Lungu Dot Com" ( http://bit.ly/9I00pF ) #
• RT @pentestit UPDATE: Maltego v3! – get it at – http://pentestit.com/2010/06/17/update-maltego-v3/ #
• RT @securitypro2009 MANDIANT Unveils Web Historian 2.0 http://bit.ly/dBLjL3 #

Powered by Twitter Tools

It brings me great pride and joy to announce the public release of Pro CERT ( Provision Computer Emergency Response Team), the first commercial CERT structure in Romania.

Quoting from Pro CERT RFC2550 charter :

Pro CERT is a project initiated and sponsored by Provision Software Division SRL, the largest privately owned Romanian IT security company.

"Pro CERT offers assistance and coordination in early detection and handling of computer and network security incidents for all it’s constituents. Pro CERT primary constituency include all networks and systems belonging to Provision Software Division SRL and it’s customers.A secondary goal in terms of constituency is represented by the Romanian TLD : .ro for which Pro CERT aims to be a certified  point of contact for incidents targeting or initiated from Romania.

Pro CERT is dedicated to preventing security incidents by offering direct proactive measures and security quality management services. Pro CERT operates under the authority of Provision’s Managed Security Services business division, which manages the operational authority between Pro CERT and each of its constituents trough individual SLAs. 

Pro CERT core activities imply close cooperation with all large ISP's abuse teams from Romania and abroad, direct contact and data exchange in order to prevent and recover from security incidents that affect Pro CERT’s constituents.

Pro CERT operates under the restrictions imposed by Romanian law. This involves careful handling of personal data as required by Romanian Data Protection laws, but it is also possible that – according to Romanian law – Pro CERT may be forced to disclose information due to a Court's order. "

Just like the Oscar winners, I would like to thank my team without whom none of this could have happened . It's a young project but we are very ambitious and we have set our goals high !  Please contact me directly,leave comments or register on www.pro-cert.ro  if you would like to cooperate with Pro CERT.

Please find below the opening presentation I gave on Provision Security Days conference about Pro CERT.
 

Do you like my presentation ? Thanks !

For a long time I wanted to write a review on GFI EventsManager 2010 and I'm glad I'm doing it because for me it's a very good example of software built the right way for the right job at the right time.

Having spent my last 5 years working with SIEM giants like ArcSight and RSA EnVision, I have experienced first hand the benefits and sometimes the downfall of  SIEM / ESM solutions.

GFI EventsManger takes a simple and robust aproach to log and event management and this is shown in the way it does the collection of data, the analysis, storage and reporting.

The collection of data is done agentless which is a big plus and the solution  can collect and process Windows events, W3C event logs, Syslog messages, SNMP Trap and SQL Server logs.  This allows one to collect more data from the different hardware and software systems that are most commonly available on a typical corporate network.

GFI EventsManager offers one of the best asset management interface allowing one to group assets (servers, workstations, netowrk devices) and quickly display events filtered by numerous criteria.

The list of supported devices can be found here (a bit outdated, needs an update to 2010 version) and it includes top vendors in all major security domains :access control, perimeter, endpoint , directory services, content filtering, IDS / IPS, operating systems and much more.

The solution uses two collection engines, the Event Retrieval Engine and the Event Receiving Engine which cover all supported log formats, either passively such as Syslog and SNMP or actively connecting systems handling W3C and Windows events.

Once the events have reached them main processing unit, GFI EventsManager will run a set of event processing rules on the collected events. The solution ships with a rich set of out-of-the-box rules such as :

• Classifying the events as Critical, High, Medium, Low or Noise (which are discarded)
• Filtering events based on specific criteria
• Triggering email, SMS and network alerts on key events
• Triggering remediation actions such as the execution of executable files or scripts on key events
• Optionally archiving collected events in the database backend.

GFI EventsManager uses a MS-SQL database backend which can quickly fill up so the solution provides functionality to disk-archive the main stream of events and save only the important alerts in the database.

Accessing the data is straight forward using Event Browsing which does a great job at presenting the events is an easy-to-read format. Event Browser can also be used as a forensics analysis tool because of it's ease of use in drilling into recorded events.

Reporting is done via  the GFI ReportCenter framework which offers consistent reporting features for many GFI products. There is a dedicated ReportPack for GFI EventManager which loads in the reporting framework so you can benefit from the framework powerful reporting features tailored to the specific data provided by EventManager.

Reports can be scheduled and can be sent by email or exported as to various formats including HTML, Adobe Acrobat (PDF), Excel (XLS), Word (DOC), and Rich Text Format (RTF).

Conclusion
GFI EventManager 2010 is a very efficient and effective log and event management tool which covers most of the daily security monitoring activities. However, there is room for expanding this product by adding support for more log formats (ODBC, flat text, vendor specific protocol like CheckPoint OPSEC, etc). Also event normalization and aggregation could improve the in-memory correlation for more complex AI alerts .

Licensing is very affordable for this class of products and it's based on number of nodes reporting events. Also, don't forget that you can always download a full working evaluation version from here .

• SC Magazine US awards perfect score to Netgear ProSecure. Good content filtering for less than 3k USD . Cool ( http://bit.ly/aDzC5M ) #
• RT @agent0x0 RT @securitymonks: RIPS – A static source code analyser for vulnerabilities in PHP scripts http://goo.gl/H65C #

Powered by Twitter Tools

I just received today a phishing email which had an HTML attachment and of course it asked me to click the attached file.

By opening the attached file as text I noticed it's packed with scrambled / encoded JavaScript which unfortunately I don't speak fluently.

I have uploaded the file on my webserver and I scanned with QualysGuard Malware Detection service which runs the discovered malware in a sandbox OS to detect the effects on an ordinary PC but unfortunately I didn't get any results.

By unscrambling some URLs I found remote calls to http://onnoe.ru:8080/index.php?pid=10 which gave me a hint that this malware might be used as trojan / botnet harvester.

So, I would appreciate if anybody could take a look at the malware JavaScript and share the results with me .. I'm extremely curious on what it does.

Anyways, here is the culprit JS code saved as txt.

Thank you!

• dotDefender busted by Sandro Gauci of EnableSecurity ( http://bit.ly/cLN9Uy ) #
• RT @Hfuhs: WordPress user: Be careful where you get your theme from – http://fuhs.eu/16h #
• RT @Imperva: History of Hacking in One Cool Graphic http://bit.ly/bQYUim #
• attending Provision Security Days at seaside in Olimp, Romania .. cold, windy. Hopefully that will keep the guests focused on the conference #
• Just released Pro CERT : ProVision Computer Emergency Response Center http://slidesha.re/cMYcDC #

Powered by Twitter Tools

• "Patch management for non-Microsoft software products with new release of GFI LANguard" ( http://bit.ly/9CcODJ ) #
• "BBC News – First human 'infected with computer virus'" ( http://bit.ly/96Lhg4 ) .. amazing ! #

Powered by Twitter Tools