Sunday, May 10, 2009

Excellent Sunday Linkage

Thought I'd share a couple of posts, links and thoughts I've come across or had recently...

First, a while ago I provided information for a "lessons learned" ISS X-Force blog post on SQL injection, and it was posted last week. Hopefully, this post provides some insight into the dangers of the SQL injection attacks that the media did not pick up on; namely, leveraging the configuration issue to burrow deep, deep, deep inside the infrastructure.

The blog post was picked up by the SANS ISC, as well...thanks, guys!

Some additional resources regarding SQL injection, if you're not familiar with the issue:
SQL Injection Attacks by example
SecuriTeam: SQL Injection Walkthrough
What MS has to say...

The Illustrious Don Weber has a couple of excellent posts over on the Security RipCord blog, the latest regarding the use of F-Response and the FEMC v3.09. Don's posted lots of pictures, too, that clearly illustrate how easy Matt's product makes incident response. The title that Don used for the post includes "quick", as in, "the quick or the dead", because honestly, that's what it comes down to, doesn't it? At the first SANS Forensic Summit in Oct, 2008, AAron Walters used the term "temporal proximity" to indicate the need for better detection and quicker response to incidents in order to collect data for analysis. F-Response moves incident response ahead a quantum leap forward, providing responders with the capability to reach out and collect data faster than ever before. Not only are you not sacrificing accuracy or completeness for speed, but this isn't so complicated that you need to be a rocket scientist to use it.

Speaking of F-Response, be the first on your block...uh, get the new F-Response decal!

For those of us who are into Windows memory analysis, Andreas Schuster has posted links to more versions of the venerable PTFinder tool. Don's also spent some time talking about memory analysis tools and large memory acquisitions, as well.

Ryan Johnson posted to the SANS Forensic Blog on the Future of Digital Forensics; his post focuses primarily on the PI issue that has cropped up in many states already, to varying degrees requiring folks who do IR and CF work to be licensed as private investigators. IMHO, this does absolutely nothing to better the field or the community, nor does it do anything to serve the customer/ fact, it hurts the victim. When someone calls for assistance, they're going to either have to pay some additional amortized fee for the cost of obtaining licensing in that state, or they're going to be told, "oh...sorry, no...we can't do work in YOUR state." Cllick. It's already happening, folks. Am I saying that you won't get the best of the best? No. What I am saying is that the purpose of the licensing has nothing whatsoever to do with the quality of the work, and in some cases, it prevents victim organizations from bringing in responders with whom they already have a relationship, and may know some pretty important things about their infrastructure.

Last but not least, Richard Bejtlich has posted some highlights from the 2009 Verizon Security Data Breach Report, and as always, he's got some pretty insightful things to say. One of his statements that I would suggest is accurate is, Detection methods continue to be pathetic. Harsh? Maybe. Look at the graphic from the report; 70% of breaches were reported by an outside third party. Ouch.

Finally, don't forget to check out episode 151 of the PaulDotCom podcast, and don't miss Larry Daniels' TalkForensics show...

No comments: