In the end of 2007 we first noted the FastHosts breaches in the BreachBytes links to breach articles. On January 14, 2008, ComputerWorld reported that the seemingly benign and random breach(es) at FastHost - The UK’s largest hosting company - in late 2007 appear to be much worse than originally thought due to the damage that is now happening as a result. Here is the article:
New mass hack strikes sites, confounds researchers
It is interesting to see that the hackers continue to use more sophisticated methods to perform their damage and a variety of the knowledgeable security companies are quoted as not really knowing how to determine which sites were in fact infected.
1 Comment »
NetFlow data remains a largely untapped resource for network security professionals. All modern routers support it yet in most cases, NetFlow is used for network operations management and QOS and then discarded. This is very unfortunate for security analysts who need flow data for a variety of security and compliance reasons. Good flow data is a fundamental aspect of any network forensics investigation. NetFlow data is appealing in that — for networks with routers that support it — it is free and easy to collect.
Luckily, there are several free NetFlow tools available to collect and store NetFlow data, often in a highly efficient compressed binary format. These tools vary greatly in terms of quality and support. The table below summarizes the free NetFlow tools available to network security analysts.
| Name |
Version |
Last Updated |
License |
| NEye |
1.0.1 |
February 6, 2005 |
GNU-like |
| SiLK |
0.11.7 |
September 6, 2007 |
GNU |
| Flowd |
0.9 |
March 4, 2006 |
BSD-like |
| nfdump |
1.5.6 |
August 8, 2007 |
BSD |
| flow-tools |
0.68 |
April 11, 2005 |
Apache-like |
| Cflowd |
2.1.b1 |
October 24, 2000 |
GNU |
| EHNT |
0.4 |
August 5, 2003 |
GNU |
| Flowc |
1.6 |
August 18, 2006 |
Apache-like |
From personal experience, I have found SiLK, flow-tools and nfdump to be excellent solutions to capturing flow data. It is interesting to note that only two of the eight tools above have been updated in the last year. Future posts in BreachBytes will cover some of these tools in depth as well as look into performance comparisons of the tools.
1 Comment »
Poor Salesforce.com.
They continue to be under attack by phishing scams. As a customer I have been satisfied with their responsiveness and continue to root for them. My first sighting of the last Salesforce.com attack popped up my ZDNet.com RSS Feed on 11/06/07. The same day I received an email from Salesforce.com explaining what had happened and what they were doing about it. They offered a surprising level of transparency which, in my mind, showed courage and confidence based on their timely disclosure. Over the intervening days changes were implemented that were mildly inconvenient to the user yet improved the security of the Salesforce.com installation (and more importantly our data).
(more…)
4 Comments »
Two big legal cases have made headlines in the cybercrime arena over the last week. First, Reuters reported on 1/3/08 that the Justice department has indicted Alan Ralsky, known as the “spam king”, under charges that he orchestrated a stock spamming operation. Reuters, in a 1/8/08 article, is also reporting on a case where a system administrator was hit for $81K in fines and 30 months in prison for unleashing a classic logic bomb on his former employers servers.
Maybe this is just a coincidence but does this signal a shift towards holding criminals accountable for cybercrime? I personally would like to think so since a huge reason that cybercrime is so rampant is due to the U.S. legal system’s inability to evolve and adapt in the prosecution of crimes that take place on or using the Internet.
(more…)
No Comments »
The security industry today is making big money on forensics. SANS alone has three different courses on the subject. Guidance Software has built a highly successful company by focusing solely on computer forensics. This is great but anyone that has ever done a computer forensic investigation knows that it is a time consuming, tedious process that is prone to human error. They also know that computer forensics is often not the end of an investigation but the beginning of a larger incident.
Often a computer forensic investigation will yield evidence showing that the compromised host was not an isolated compromise but part of something larger and nastier. This is where computer forensics meets network forensics. Surprisingly, the security industry is lagging far behind when it comes to network forensics. The focus has been on computer forensics but a shift towards network forensics in the industry is inevitable.
(more…)
1 Comment »
Entries (RSS)