Monday, November 26, 2007


The Russian Business Network continues to make news. It's reported their St. Petersburg network has gone dark and they've opened up shop in China (

It also appears they may have been involved in hijacking part of the site as well and using it to leverage an IE IFRAMES attack against job hunters there.

November 20, Computerworld – (National) Hackers jack, infect job hunters. took a portion of its Web site offline Monday as researchers reported that it had been compromised by an IFrame attack and was being used to infect visitors with a multi-exploit attack kit.

According to Internet records, the Russian Business Network (RBN) hacker network may be involved. Parts of the Monster Company Boulevard, which lets job hunters search for positions by company, were unavailable Monday; by evening, the entire section was dark. Most major American companies are represented on the site. Job seekers who used Monster’s by-company directory on Monday before the site was yanked were exposed to Neosploit, an attack tool kit similar to the better-known Mpack, said the chief technology officer at Exploit Prevention Labs Inc.

The injection of the malicious IFrame code into the site probably happened Monday, he added. Like many other IFrame exploits, this one silently redirected the user’s browser to another site hosting Neosploit. In the case of at least one of the exploit sites the researcher identified, there is a connection to the notorious RBN, the hacker and malware hosting network that recently shifted operations to China, then mysteriously abandoned the IP blocks it had acquired in China, seemingly vanishing from the Internet.


Friday, September 21, 2007


Well, the fallout from the German government outlawing hacking security tools (there is some vague wording about security professionals using them, but it's being reported that folks there aren't taking chances) has started already. According to the Security4All blog page, the KisMac project has shut down because of it and the Phoenolit project had to move offshore. ( This reminds me of the controversy in the United States over gun control. Opponents say "If guns are outlawed, only outlaws will have guns". Same premise pretty much applies here. If the security tools we use to audit and lockdown our networks are taken away from us, we become inherently more insecure. Meanwhile, the Bad Guys will continue to utilize them. What do they care about another law? The end result of hacking is already illegal (accessing another network without permission, stealing, changing or removing data, etc.) Will this have any impact for good for the overall security posture of the Internet? I think not. Unfortunately the reverse will be the result. Let's hope this doesn't become a trend, and the good der Mensch of the German government come to their senses and revoke this law.

Friday, September 14, 2007


If you haven't played with WMI yet, check out these ISC diary articles by Mr. Incident Response himself, Ed Skoudis. Ed is top of the field in incident response and forensics, a fantastic teacher for SANS and a pretty funny guy to boot! But I digress... WMI, which stands for Windows Management Instrumentation, is a framework built into Windows XP Pro and above, for managing local and remote nodes. It has some really useful functionaility as a reporting tool for investigating security issues on the box. Read and enjoy...

Monday, August 20, 2007

A little off-topic

Not network security related, but makes me so angry I have to post it.

August 17, Washington Post
Defense contractor was paid $1 million to ship two washers.
A South Carolina defense contractor pleaded guilty Thursday, August 16, to
bilking the Pentagon out of $20.5 million over nearly 10 years by adding hundreds of
thousands of dollars to the cost of shipping spare parts such as metal washers and lamps. The
parts were bound for key military installations, including those in Iraq and Afghanistan. In one
instance, in 2006, the government paid C&D Distributors $998,798 in transportation costs for
shipping two 19 cent washers. Charlene Corley, 47, co-owner of C&D Distributors, used the money to pay for luxury homes, cars, plastic surgery and jewelry, according to court

Do you remember the stories at the beginning of the Iraqi war, about soldiers scavenging junk yards for metal plates to make armor for their Hummers? Regardless whether you agree with the war or are vehemently opposed, this kind of fraud of our military in a time of war to me is tantamount to treason. Wonder what kind of punishment she'll get? A year or 18 months in a minimum security prison?

Tuesday, July 31, 2007

SANSFIRE 2007 - that's a wrap!

I'm sitting in my hotel room in Washington, D.C., having just completed another great SANSFIRE conference. SANSFIRE is the granddaddy training and informational conference put on by the SANS organization, with 28 different classes and a host of top notch presentations this year.

All the usual suspects were in attendance, such as Ed Skoudis, Mike Poor, Chris Brenton (who taught the track I was in), Dave Hoelzer, Dr. Eric Cole, and a giant cast of other information security notables. This year the conference was hosted once again by the Internet Storm Center, lead by Marcus Sachs and Johannes Ullrich, as well as many of the ISC handlers

Some evening highlights I was able to attend included:

  1. A State of the Internet Panel Discussion moderated by Marcus Sachs and paneled by nine of the Internet Storm Center Handlers such as Bill Stearns, Lorna Hutcheson, Adrien Du Beaupre, Jim Clausing, and Chris Carboni.
  2. A fantastic, and chilling talk by Lorna Hutcheson on the changing face of malware.
  3. A presentation by Dave Hoelzer on DAD, an open source and free log management tool for the Windows platform from Enclave.

All in all, the six days sure went fast and I'm looking forward to next years event and another mass injection of knowledge in the world of information security.

Tuesday, July 17, 2007

Military FTP sites

It's been reported that FTP file servers run by the military were discovered to be wide open, by reporters from AP, no less, allowing the download of maps of Iraqi military facilities, descriptions of security features and plans for infrastructure upgrades. The sites either had NO password protection (as if they should have been on publicly accessible FTP sites to begin with), or in one case, the password was included in another file on the server. If we are constantly losing the battle to secure sensitive data of national concern, how can we expect to win the real military battles being waged? This was not because of the techno kung-fu applied by uber hackers of malicious nation states, but because of simple sysadmin type negligence that should have gone the way of the dodo bird ten years ago. Maybe the solution is apply penalties in line with what this truly does, that is, put folks in harms way.

Thursday, June 28, 2007

Wireshark and Firewall Rules

One of the infrastructure folks where I work showed me a nifty feature in Wireshark I'd never noticed before. Click on any captured packet, and go to Analyze, Firewall ACL Rules. A dialog box will pop up showing you the syntax to write a rule denying or accepting the packet by IP, MAC, port or combination thereof depending on what device you choose. Supported is Cisco IOS, iptables, ipfirewall, Windows firewall, and pf (BSD's Packet Filter firewall). Very nice.

Wednesday, June 27, 2007

Internet Storm Center

One of my favorite places to check each morning is the Internet Storm Center, run by SANS ( A handler is on duty at all times, keeping track of emerging trends, new malware and outbreaks, or, when things are slow, just interesting things in network security. Often a handler will share the methodology they used to analyze an incident or reverse engineer a piece of malware. Browsing back through the archives is a great learning experience in itself. I usually print out the better analysis pieces for a little light reading at lunch!

Monday, June 25, 2007


A good weekend for me is one that doesn't require me to stop what I'm doing and run home to check on some event an IDS or logger is reporting. I'll be remoted in sometime, that's a given, it's just nice to be able to choose when that happens. Of course, there are also the installs/upgrades/fixes/tweaks that happen regularly. If you're part of a small network security team, or may be you ARE the team, ever notice how much of your time is taken up with sysadmin duties? Installing, patching, upgrading, and always seems like somethings on the fritz.
Makes for busy days when EOI's are on the uptick and you need to dig deep.
Oh, well... that's the part they REALLY pay you for, whether they're aware of it or not. Let a few go unnoticed and an incident happen, and all of a sudden they are acutely aware of it again. =-)

Friday, June 22, 2007

Fake Adobe Shockwave Download site

The Internet Storm Center ( is reporting that a reader discovered a fake Adobe Shockwave website, serving up a Trojan, that has a very low detection rate on VirusTotal.
Details here:


I'll be attending SANSFIRE last week of July, third year running for that venue. I've attended SANS conferences in New York, and San Francisco as well, but really like D.C. based SANSFIRE best. The mix of military, business and federal government folks (a lot of them with three letter acronyms behind their names) makes a very interesting atmosphere. SANS always has their best instructors and classes there, as well as a ton of SANS@Night classes, Bird of a Feather roundtables, and Lunch and Learn with vendors (good way to score free lunch and see a demo of some nifty new product).

Thursday, June 21, 2007


Welcome to my Network Security blog. I'll be discussing news in the information security world, new trends, products I've come across, and any tips that are hopefully worth sharing.

Blog Archive