Showing posts from May, 2009

MIR-ROR, for incident response

You can’t publish a cool tool without a cool name.
To that end, I am proud to present:
MIR-ROR: Motile Incident Response – Respond Objectively, Remediate.
If that doesn’t qualify me as an uber-dork (like that needed qualification), nothing will. ;-)
I was rooting about all my USB fobs and discovered one I received while at LE Tech last year. Hiding therein was a handy script that Microsoft forensics mastermind Troy Larson had written to gather investigative data from target machines using a USB stick. I reached out to Troy, and he graciously agreed to allow me to brand the script, as well as maintain and optimize it for your use during incident response engagements.

I consider MIR-ROR a specialized, command-line, RAPIER-like script that makes use of the all-important Windows Sysinternals tools, as well as some other useful tools. Further, as you will see, you can easily enhance the script to your liking with whatever command line tool tickles your fancy.

Incident responders and handlers…

WhiteHat's trustmark program as a game changer

I am a trustmark hater, I admit it; this should surprise no one.
I have labored long and hard over this post, but I believe it to be relevant and important.

WhiteHat Security, the genesis of Jeremiah Grossman's vision for web application security, has instituted a trustmark program.

Carefully branded a Security Certification Program, this offering seeks to raise the bar on the trustmark concept, a game changer if you will.
On one hand, this won't be hard to do.
As I have in the past, I could rail against the dime a dozen, pseudo-fraud programs that are nothing but conversion gimmicks designed to drive sales through falsely gained consumer confidence. They can all take their Nessus scanners and bugger off.

Instead, I'd like to describe why I think WhiteHat Security can shed new light and standards on this concept.
1) Reputation: WhiteHat Security has always been a premier brand in the realm of web application security. This is indisputable. Their scanning engine, their business …

WebTuff checks for WebDAV vulnerability

The folks at Applicure, the dotDefender vendor, have created WebTuff, a free utility to check for the IIS 6 WebDAV vulnerability.
I occasionally run into dotDefender when I'm "analyzing" web application security issues on the Intarweb, and can say that I've been pleasantly surprised by its capabilities.
Please note:This is not an endorsement for Applicure products; simply consider it the suggestion that they are worthy of your consideration.
To that end, a free utility is always a great way generate interest; if your're concerned about exposure to the WebDAV vulnerability, give WebTuff a try.
Cheers. | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

SearchFinancialSecurity: The need for financial Web application security

The current lead story on is my contribution Why financials must implement Web application security best practices.
This is a follow up piece, a summary if you will, on my Online Finance Flaws campaign, kindly solicited by TechTarget to drive home the point: Is there any one sector more than financial services who must take a stronger stance with regard to Web application security?
Answer: Not that I can think of.
Security hits to financial-services firms have far reaching impacts beyond individual victims, including economic implications that can contribute to global economic malaise.
This article offers examples of flaws noted in major financial-services websites, data from OWASP's Security Spending Benchmarks Project Report as well as best practices guidance derived from security development lifecycle (SDL) methodology.
I invite you to read the article at your earliest convenience.
As always, feedback is welcome. | digg | Submit to Slashdot


Desktopsmiley: Annoying and insecure

Adware giant annoys me in ways I can't repeat here (to protect the innocent and moral among you), so I'll keep this simple.

Some facts:
1) is ranked 287 in the world according to Alexa.
This is simply stupefying to me, and testament to the fact that there are way too many oblivious people installing this crapware.
2) The geniuses at have wrestled long and hard with the antiviruse vendors such that their latest installer doesn't trip a single signature per Virustotal. Further ground for to be much annoyed...and perhaps impressed at their obvious negotiation skills.
3) has a privacy policy. Rejoice! Now we can all install it and know our data and our privacy is protected. Or not. Just read this dreck and you'll shudder at the clearly defined consequences of installing this "not spyware".

I am therefore inclined to point out that this spectacular product offering cares little for your privacy or…

WebCollab - Billy Goat security goodness

A quick shout-out to the WebCollab team for a transparent and quick turnaround on security fixes for vulnerabilities I reported through Secunia.
They were prompt, communicative, and thorough in their review, claiming that "this is the first publicly notified issue with WebCollab in more than six years of releases."
I truly appreciate teams who openly address their methodology, the change log, and the core issues.
Well done and thank you, WebCollab. Yours is a model I wish others would adopt.
Cheers. | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

The McAfee Secure Double Standard

McAfee Secure claims to be McAfee Secure while not McAfee Secure

It's been a rough week for our McAfee Secure friends.
First, an XSS, Iframe injections, and XMLHTTP outing provided by, followed quickly by a CSRF browbeating from The Skeptikal One, Mike Bailey.
While these findings should not come as a surprise, I have no doubt McAfee moved as quickly as possible to resolve the issues.

What sadly should also not come as a surprise is that the entire time these numerous vulnerabilities were live, so too was the McAfee Secure trustmark.

I realize the odds of McAfee Secure removing the McAfee Secure trustmark when they are not McAfee Secure is highly unlikely, it nonetheless exemplifies a double standard.
The key question is this.
If the McAfee Secure customer portal is vulnerable to CSRF for 4-5 weeks while the portal code is under repair, should it declare itself McAfee Secure?

To further my point, language from the McAfee Secure Standard:
In the event that McAfee discovers a vul… Probable fraud, definite XSS

While I've recently been trying to take a more positive tack in my exploration of online security issues, I must digress.
Cable viewers have again been endlessly inundated with Home Based Business advertisements claiming riches beyond your wildest dreams.
You know the one..."I made over $9000 last month working from home part-time."
Same message, different URL; they simply change the URL every so often. The current domain is, others have included and
All of this complete bulls**t is brought to you by LG Technologies of Temecula, CA, under the premise of Home Based Busines - As Seen on TV.

First, the fine print:
The incomes depicted are not typical and represent a small percentage of actual participants. There are no guarantees that participants will be able to achieve the income levels depicted.

Second, your privacy at risk:
We will maintain a record of your Personally Identifiable Information (PII) that will be sold or tran…

SUMO Linux: Security utilizing multiple options

May's toolsmith, in the ISSA Journal, features SUMO Linux: Security utilizing multiple options.

From the column:
SUMO Linux is the brain child of Marcus Carey of Sun Tzu Data in Washington, D.C area. As part of his DojoSec events and training program, Marcus found himself, and his students, frustrated with needing various tools from different Live CD distributions. Powering down, loading a new disc, and waiting until the new one comes up; annoying and troublesome to say the least.
SUMO Linux 1.0 is the genesis of that teaching experience – one DVD to rule them all. First released in November 2008, this young project represents a multi-boot DVD inclusive of five (that’s right, I said five) popular security-related Linux distributions. Bonus!

Sumo Linux includes Backtrack, Helix, Samurai Linux, dban, and DVL.

Grab the DVD ISO, pull down the article PDF, and make quick use of this excellent distribution.
Cheers. | digg | Submit to Slashdot