InfoSec News

The media is full of security horror stories of company after company being breached by attackers, but very little information is actual forthcoming on the real details.



As an incident responder I attempt to understand what occurred and learn from these attacks, so I'm always looking for factual details of what actually happened, rather than conjecture, hearsay or pure guess work.



Back in April Barracuda Networks, a security solution provider, got compromised and lost names and email addresses. They disclose the breach then took the admirable step of publishing how the breach took place, with screen shots of logs, and their lessons learnt from the attack [1].
I hope that those who unfortunate to suffer future breaches are equally generous enough to share their logs and lessons learnt for the rest of us to understand and adapt for our own systems. The attackers share their tips and tricks, as anyone looking at the uploaded chat logs to public sites like pastebin can attest to this. We need the very smart folks looking after the security at theses attacked companies, that can step up, to take time to write up what really happened is going to make it accessible for the rest of us to learn from.
Seeing the events of an attack in recorded in log files is a terrible, yet beautiful thing. To me it means we, as defenders, did one thing right since detection is always a must. If the attack couldn't or wasn't blocked, then being able to replay how a system was compromised is the only way forward to stopping it from occurring again. drinking that morning coffee while flicking through the highlights of systems should be part of the job description.



Log files need to easy to understand and get information from. As someone who works with huge Windows IIS logs files, automation is your friend here. Jason Fossen's Search_Text_Log.vbs script [2] is a great starting point for scripters or for a more dynamic analysis tool Microsoft's log parser [3] is well worth taking the time to get to grips with. As an example of some of the information you can extract from IIS logs have a read here [4] see how easy it is to pull pertinent data and this blog piece [5] has a excellent way to get visual trending IIS data.



If log analysis isn't something you do much of, then a marvellous way to get some practice in is from this Honeynet.org challenge [6]



It's important to note logging has to be enabled on your systems, set up and reviewed to produce useful information. Multiple logging sources have to be using the same time source, to make correlation easy, so take the time to make sure your environment is configured and logging correctly before you need to review the logs for an incident.
As always, if you have any suggestions, insights or tips please feel free to comment.



[1] http://blog.barracuda.com/pmblog/index.php/2011/04/26/anatomy-of-a-sql-injection-attack/



[2] http://www.isascripts.org/scripts.zip



[3] Download log parser from http://www.microsoft.com/downloads/en/details.aspx?FamilyID=890cd06b-abf8-4c25-91b2-f8d975cf8c07displaylang=en



[4] http://blogs.iis.net/carlosag/archive/2010/03/25/analyze-your-iis-log-files-favorite-log-parser-queries.aspx



[5] http://blogs.msdn.com/b/mmcintyr/archive/2009/07/20/analyzing-iis-log-files-using-log-parser-part-1.aspx



[6] http://www.honeynet.org/challenges/2010_5_log_mysteries





* for you own time management, eyesight and frankly sanity try to avoid this.
Chris Mohan --- Internet Storm Center Handler on Duty (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Google's Admeld deal faces antitrust review
ZDNet Australia
Apple was caught flat-footed by Mac Defender and took nearly a ... http://zd.net/j3xFs4 Has Apple done enough to fight malware on Macs? http://t.co/nHQLpY4 #InfoSec Pandora's IPO debacle: Shares plunge through offering price after a day | ZDNet: ...

and more »
 
Another gaming company had customer data illegally accessed by hackers who copied e-mail addresses, encrypted passwords and birth dates stored in the Sega Pass database. Sega confirmed that no personal payment information was taken because they use external payment providers. On Friday, they indicated that all user passwords were reset and access was temporarily suspended. As of this writing, the Sega Pass is still unavailable to users with a message stating We hope to be back up and running very soon.[1]
that is a sizable target.
[1] http://www.sega.com/sega-pass/

[2] http://playstationlifestyle.net/2011/06/17/sega-pass-database-hacked/

[3] http://isc.sans.org/diary.html?storyid=10768


-----------
Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Amazon's Kindle e-reader store has a spam problem, and that isn't good news for legitimate authors and consumers trying to find their books.
 
Video game company Sega had a database hacked and sensitive information on about 1.3 million customers has been compromised, according to media reports.
 
The latest Barnes & Noble Nook e-reader is getting a lot of positive buzz, and for good reason. It's thin and light, has a touchscreen interface that's easy to navigate, and is priced the same ($139, Wi-Fi) as Amazon's industry-leading Kindle.
 

US Data Erasure Software Leader Now Certified by European Security Group
RedOrbit
Certification is awarded when software has met all of the criteria for secure erasure of magnetic media in accordance with HMG Infosec standards. After independent testing carried out by QinetiQ, a British global defence technology company under ...

and more »
 
Internet Storm Center Infocon Status