Source: Enterprise Networking Planet - Posted by Eckie Silapaswang
If you have only a single computer, then it's possible for you to spend your days giving it careful manual scrutiny for mischiefs and problems. Perhaps not entirely desirable, but possible. But in the real world we need good tools to monitor and warn us of mischiefs, so we can actually go outside and have a life every so often. Intrusion detection is one of those gnarly jobs that can make you paranoid and nervous — it seems the more you study it, the more difficult, scary, and unreliable it appears.
PSAD? Check. Snort? Check. Be sure to check out this article for a quick overview of IDS tools, then check out our HowTo's to see example implementations!
A breadth of anti-forensics tools -- most of them free -- is making it easier for the bad guys to cover their tracks in malware and data theft attacks.
"The bottom line is most criminals are not the brightest bolts in the box and they tend to make mistakes, which forensics has been able to use to its advantage," says Paul Henry, vice president of technology evangelism for Secure Computing. Henry will discuss the increasingly popular anti-forensics tools at a session at InfoSec World in Orlando this week. "But a smarter individual can [today] easily find tools to cover his tracks."
Source: Technet.com - Posted by Benjamin D. Thomas
In technical terms, a honeypot performs a function very similar to that of a "honeypot" in the outside world: a sweet lure. A "honeypot" is a system designed with the purpose of attracting the attention of prospective attackers, to assess how they are attempting to infiltrate the machine and what they doing once they gain access. There are literally thousands of honeypot networks and systems setup by security professionals and hobbyists worldwide. These systems can provide a wealth of information into forensics and assessing trends in network intrusion.
Snort and Sourcefire users are urged to update their intrusion detection software following the discovery of a potentially serious security vulnerability.
A stack-based buffer overflow security bug in the preprocessor handling DCE/RPC traffic means hackers could inject hostile code onto systems running the popular open source Snort package and its commercial equivalent, Sourcefire. Snort versions 2.6.1, 2.6.1.1, 2.6.1.2 and Snort 2.7.0 beta 1 are all vulnerable to the bug.
Source: ITworld.com - Posted by Benjamin D. Thomas
The Web Honeynet Project, an independent group of Honeynet researchers from Securiteam and the ITOSF have decided to launch web application honeynets with a new twist. The twist is, they plan to name not only the attack details, as is usual, but also to divulge the IP addresses and other tracking information about the attackers themselves.
I am frequently asked questions, many of the questions are the same things over and over again, and I always see the same mistakes being made when setting it up. So, i've compiled a list of the top ten mistakes and commonly misconfigured or overlooked things when configuring everyone's favorite IDS.
While the Storm Center handlers make an effort in the timely reporting and dissemination of information regarding malware and distributed threats as they occur to keep our readers in tune with the beat of things, we can't *always* be at the cutting edge. If you have the capability of deploying new tools and infrastructure you might consider extending your efforts to grow your organizations insight and visibility into the nefarious workings of the net. Provided you choose to do so, or already have such efforts underway I suggest sharing with us any significant findings!
Source: NetworkComputing.com - Posted by Carney Mimms
They make up only a tiny percentage of malware, but rootkits help spyware and trojans avoid detection and removal. Find out how the security community is responding to rootkits and what new steps have been taken to prevent their installation.
Source: PC Authority - Posted by Benjamin D. Thomas
The report advises implementation of a "least privilege" environment to reduce the impact of such attacks.
Marco Peretti, chief technical officer at security firm BeyondTrust, agreed with the findings of the Sans Institute, urging users to follow the "principle of least privilege" in setting user access controls, permissions and rights.
Peretti also suggested restricting or limiting the use of active code such as JavaScript or ActiveX in browsers.
he .eu top-level domain is relatively new and in the build-up phase and had a co-worker notice something fun.
When ssh'ing to a local server, he typo'd and finished the DNS name as .eu, it connected with an SSH handshake (it was a new server so the key warning wasn't considered a big deal) and took a password. The individual immediately recognized the problem when the password wasn't accepted and we investigated.
It appears any DNS name at ourdomain.eu would resolve to this machine. Not only that, but the machine in question was hosting at least 7 other domains under .eu that would map to an educational institution. For instance, for "fake" educational institution at ufoo.edu you could search for ufoo.eu and get a response to this machine.