Aug 14 2009 12:48PM GMT
Posted by: Troy Tate
malware,
bootkit,
rootkit,
antivirus,
threats,
vulnerabilities,
research,
blackhat,
hacker,
least user authority,
least user privilege
If you have not been nervous before about someone infecting computers without your knowledge then you should be much more nervous after reading this article.
In 1987 the Stoned boot sector virus came out and was one of the most prevalent viruses of the early personal computer era. As with most malware concepts, this old threat has been made new again.
An 18-year old security specialist gave a presentation on a bootkit/rootkit (STONED) at the annual Blackhat security conference. This bootkit is not your typical bootkit in that it can bypass disk encryption and load itself into memory before the disk encryption software is activated. The demonstration showed the bootkit loading before disk encryption is activated. Once the malware is loaded from the master boot record (MBR), it is then in memory and can download other malware such as trojans to capture banking credentials.
The bootkit software can be installed either by having physical access to the device or by a user with administrative credentials (this makes a good case for the “least user authority” (LUA) principle). Once the malware is installed and activated it is very difficult to detect. According to one article:
Once installed, Stoned cannot be detected with traditional anti-virus software because no modifications of Windows components take place in memory, says Kleissner. Stoned runs in parallel with the actual Windows kernel. Even an anti-virus function in the BIOS can’t stop the bootkit, as modern Windows versions modify the MBR without referring to the BIOS.
Our challenge as infosec professionals is laid out before us. How we deal with threats like these and protect our users and organizations becomes more difficult all of the time. We have to stay on top of our game because the rules and game conditions are always changing.
Thanks for reading & let’s continue to be good network citizens.
Jul 28 2009 3:11PM GMT
Posted by: Troy Tate
Microsoft,
patch management,
Metrics,
framework,
maturity model,
patch management framework,
research,
asset management,
lifecycle management
Securosis and Microsoft have teamed up and released an Open Patch Management Metrics Model. The purpose of this model is to “provide organizations with a tool to better understand their patching costs.” The model also has ten steps with multiple substeps to help guide an organization through a patch management process framework.
The document can be found on the Securosis website. More information will be released as the model matures and additional organizations contribute to the research. Let the ITKE community know your thoughts on this model and if the metrics are meaningful to your organization.
For myself, I think that the metrics would be good to gather but would be a challenge to maintain when we are always being challenged to do more with less.
Thanks for reading & let’s continue to be good network citizens!
Jun 29 2009 8:15PM GMT
Posted by: Troy Tate
computer vulnerability,
troubleshooting,
hardware,
hardware failure,
diagnostics,
research,
computer peripheral,
keyboard failure,
keyboard
On Friday I posted a tongue-in-cheek type posting about a worm taking down a laptop. Not necessarily big news but something different to see as a risk to computing equipment.
Another similar story came to my attention today. It has to do with ants in a membrane switch type keyboard. Check out the article Ant Farm In The Keyboard. Hey… isn’t it about sharing troubleshooting information between peers? wink-wink - nudge-nudge
Thanks for reading. Have a great day and let’s continue to be good network citizens!
Feb 27 2009 7:41PM GMT
Posted by: Troy Tate
network testing,
network,
testing,
toolkit,
research,
throughput,
analysis,
Performance,
performance monitoring
There will always be some user saying “the internet is slow”. There are many resources out there to test internet connections. The Measurement Lab is one I came across the other day. There are several useful tools under this page. Some of the tools and descriptions are listed below. Maybe one of these will be useful to you or your users some day. Just remember you heard about it on IT-Trenches! Thanks for reading and let’s continue to be good network citizens.
-
Test your connection speed and receive sophisticated diagnosis of problems limiting speed.
-
Test whether BitTorrent is being blocked or throttled.
-
Diagnose common problems that impact last-mile broadband networks.
-
Determine whether an ISP is giving some traffic a lower priority than other traffic.
-
Determine whether an ISP is degrading the performance of a certain subset of users, applications, or destinations.
Feb 25 2009 2:30PM GMT
Posted by: Troy Tate
information security,
infosecurity,
tools,
toolkit,
management,
research
This may be a couple of years old, but the need for infosecurity tools and requirements for cheap solutions has not changed. This was first published in the CSO magazine in 2006. The tools have only gotten better since then. Hope you can find some use for the tools that it recommends in these trying budget & resource times.
Thanks for reading & let’s continue to be good network citizens!
Jan 26 2009 7:14PM GMT
Posted by: Troy Tate
Firewalls,
internet,
WWW,
Subnet,
malicious activity,
malware,
research,
network,
graph,
activity,
Security,
network security
For those of you who manage your own network, you have to consider the strength of the firewall at your network perimiter, the knowledge and skills of those who manage it. You also have to provide technology that can help protect your mobile users. Part of building that secure environment is understanding the environment out there in the wild world web.This is just one of the resources available out there. Please leave feedback if you are aware of others that might be useful to readers.
I recently came across an interesting graph that shows where some of the malicious traffic originates from on the internet. It is called the Internet malicious activity map (PNG) The graph is from Team Cymru. The graph displays in “heatmap” style in a Hilbert Curve (check this out if you are a fan of fractals). This is an interesting way to graph a lot of data in a small space. As is true in heatmaps, the colors indicate the concentration of malicious activity. The lighter the color, the higher the malicious activity. Take a look at the 85.x.x.x/8, 87.x.x.x/8, and 88.x.x.x/8 sections of the graph. Looks like these networks are major sources of malicious activity on the internet. I would recommend reviewing this graph and determining if the address ranges showing high malicious activities are part of your organization’s network. If so, then be very concerned. If not, then does your network receive any traffic originating on these subnets? Maybe you should consider blocking traffic from these source subnets. See the Team Cymru Malevolence Monitoring website for more security oriented information.
Thanks for reading and let’s be good network citizens!
Jan 6 2009 4:23PM GMT
Posted by: Troy Tate
information security,
bho,
activex,
Security,
website,
community,
Database,
malware,
research
Have you ever wondered if an application or running process is good or bad? Google searches do a good job of helping you determine if a process is legitimate or not. I just came across another resource in the fight against malicious software. It is a search engine for files, CLSID’s, and application names. The site is SystemLookup. The search results show whether the item is Malware, spyware, adware, or other potentially unwanted items, Legitimate items, Open to debate, or Currently unknown status. The various categories available for search include:
browser helper objects (BHO), toolbars, search hooks, explorer bars
Internet Explorer Buttons
Layered Service Providers
ActiveX Installs
Extra protocols
AppInit_DLLs & Winlogon Notify
ShellServiceObjectDelayLoad
Shared Task Scheduler
Services
The website is community-based so please contribute and improve this resource for security information.
Oct 27 2008 8:52PM GMT
Posted by: Troy Tate
Networking,
forensics,
Security,
tools,
Microsoft Windows,
Linux,
Monitoring,
web,
reporting,
Google,
internet,
IT education,
WAN,
LAN,
performance monitoring,
troubleshooting,
Performance,
Network TAPs,
howto,
network analysis,
Metrics,
wireshark,
packet capture,
research,
education,
toolkit,
man-in-the-middle,
analysis
Checkout the Sharkfest 2008 videos at LoveMyTool.com. If you use Wireshark or want to learn network troubleshooting, this is one of the best resources you can have in your toolkit. The videos will give you a better understanding of this tool and other tools out there.
There is even a video of Dr. Vinton G. Cerf, vice president and Chief Internet Evangelist for Google. He is responsible for identifying new enabling technologies and applications on the Internet and other platforms for the company. Widely known as a “Father of the Internet,” Vint is the co-designer with Robert Kahn of TCP/IP protocols and basic architecture of the Internet.
Have a great day and thanks for stopping by!
Oct 10 2008 7:58PM GMT
Posted by: Troy Tate
Security,
Monitoring,
reporting,
IT education,
Data security,
malware,
performance monitoring,
botnet,
Metrics,
risk,
research,
awareness,
vulnerability,
dhs,
analysis
If you are into metrics, you might find this article rather interesting. For Good Measure: Type II Reverse Engineering
A couple of the security metrics I find interesting:
Counterfeit hosts (zombied/botted): 30% (estimated)
Odds that neither end of a P2P session is øwned: 50–50
Bytes required to counterfeit a presidential candidate: 1
Dollar value of counterfeit Cuban
cigars: $100 million
Dollar value of counterfeit whisky: $700 million
Dollar value of counterfeit IT: $100 billion
Information like this really helps you understand why hackers and criminals do the things they do. I’m not endorsing it by any means.
