Archive for March 2006

« Previous Entries
Next Entries »

University of Fairfax

March 18, 2006, 3:32 pm

I’ve had several entries in the past where I’ve commented about the University of Fairfax

Their website says they are certified by the State Council of Higher Education for Virginia to operate in the Commonwealth of Virginia. I’ve stated that the problem with that statement is that accreditation is what separates diploma mills from Universities. It’s the only way an employer really knows if the degree is legitimate. I found that the State Council of Higher Education site is updated and it still lists no accreditation for University of Fairfax.

How long does it take a new institution to get accredited?

I’ve sent Eric Cole who is on their faculty list an email to see if he really teaches there. He hasn’t yet responded.
I’m thinking of sending the school an email and asking about this.

SANS.edu is much more upfront. I’ve blogged about their Masters degree program as well. They report that it is not possible to seek accreditation until the first class has graduated.

[see comments below for further discussion]

Tags: ,
Category: General  |  3 Comments

Another long weekend

March 17, 2006, 9:37 pm

This weekend I have another project for school due. In it, I must analyze Linux image created using dd. I’ll be looking at the image using sleuthkit primarily as well as mounting the image as a read only file system. I need to be able to determine what happened an when. From a cursory glance, it looks like I might be having to recover deleted files as well. Oh joy.
Right now I’m having some problems with the mounted image. I’m trying to copy a couple files off and I’m not able to do it. I need the password and group files to make mactime display the actual user and group names instead of numbers. Hopefully when I do that I can construct some sort of timeline of activity.

Tags:
Category: General  |  Comment

F-Secure Sanctimony

March 16, 2006, 7:06 pm

F-Secure blog writer Sean gives it to Microsoft with both barrels for daring to do research on rootkits.
First he blasts them for doing research into how an attacker might build a better rootkit.
Next he blasts them because in 1993 someone did that with a floppy.
I cant believe that someone at an antivirus company is blasting someone else for doing research into the dark arts. If my antivirus company failed to do research in to the dark arts, they would be in constant reaction mode. I’d prefer that they my AV company think of ways to 0wn my computer and then protect me from it. Otherwise, they are just taking my money and sitting on their thumb waiting for an attack. The attack of course would allow them to sell more product.
F-Secure is a cutting edge AV company. I dont think they sit around waiting for the bad guys to innovate first. So I dont know why Sean at F-Secure would blast Microsoft for doing this research. He compares it to research into Nuclear Fission.

Tags: , ,
Category: Antivirus  |  Comment

FrSIRT Closes Public Exploits Section

March 16, 2006, 7:00 pm

The public exploits section at the French Security Incident Response Team website has gone members only.
That website had been a good site for exploit code for the non-grayhat to learn what exploits are easily available. All too often patching cant occur until justified by a credible threat. that site would act as a barometer in a way not matched by even pay services like Symantec Deepsight. I’m going to miss that.

Tags: , ,
Category: General  |  Comment

Phished

March 12, 2006, 1:21 pm

The ISC handler has a good diary entry today on some phishing he’s seen.
I got one yesterday regarding chase. I have a chase credit card and it was sent to the correct email address that is listed with that card. It looked very legit. It said that as someone had accessed my account from two IPs they needed me to visit the website to verify that my account hadn’t been 0wned. I often access from both work and home so it sounded plausible.
The link for the phishing is http://www.aweber.com/livesupport/web/.Chase-Online-Verification/ aweber appears to be a real company from first glance. I was thinking of calling Chase to ask for verification, instead I went to the real chase and read their policy of never sending out emails like this. I also noticed the mail headers came from a .ch TLD. I submitted the url to websense. I couldn’t find any abuse address for aweber. (plus I’m accessing email through my ISPs webmail and they aren’t giving me a good way to get the email in “raw” format which makes it harder to report abuse).

Tags: , ,
Category: Spam  |  Comment

McAfee w95/CTX False Positive

March 11, 2006, 8:30 pm

McAfee had a major false positive on Friday that effected a lot of applications.
I’ve see reports that effected applications include:
Microsoft Excel 2000
Macromedia Flash Player 7
Oracle J-Initiator Client
Oracle Client Applications
Borland Database Engine Drivers
Sun Java Runtime Environment v2
ADP Payroll Applications
CA UniCenter Applications
ProComm Plus
And Many More…
McAfee is reporting the most common false positives are:
usersid.exe Windows XP file
imjpinst.exe Windows XP file
ecenter.exe Dell file
ntfstype.exe Utility
adobeupdatemanager.exe Adobe Update Manager
gtb2k1033.exe Google Toolbar Installer
43gcjvgahnu44.ths Macromedia Flash Player 7.0 r19
excel.exe Microsoft Excel
graph.exe Microsoft Excel
If the files are in quarantine, you can restore them after updating to a later virus definition. If you’ve let McAfee delete them, you need system restore or backups.

Tags: , , , ,
Category: Antivirus  |  1 Comment

McAfee False Positive part 2

March 11, 2006, 8:45 am

According to the SANS Internet Storm Center diary, there was a false positive in McAfee defs on Friday. They asked a couple of questions that I thought were worth a blog entry.
How would you detect such a “bad pattern” in your environment, and, more importantly, how would you distinguish between “false positive” and “virus outbreak” ?
We use Symantec Antivirus in our environment. It sends an email alert to the antivirus administrator about each virus alert. The antivirus administrator should be able to make a decision based on his/her experience, the directory and filename of the reported file, and the number of reports.
Would you have the capability to roll back to the last “known good” pattern if help from the vendor were not forthcoming ? Where exactly do these patterns come from ? Is the previous pattern version available there as well ?
The ability to rollback virus definitions is built into the management platform for Symantec (Symantec System Center). Failing that backdating would have to be done by hand or through a script run on each client.
The antivirus companies have us addicted to updates. We need the fix. We’re Jonesing for the fix. Every once in a while the we get a bad fix that nearly takes us out. In the past month Kaspersky has killed Exchange servers running Sybari. Microsoft Antispyware has uninstalled Symantec antivirus. And now this. (I think I”m forgetting a smaller incident Sophos had). Something is rotten in the state of antivirus.

Tags: , , , , , ,
Category: Antivirus  |  Comment

Promotion

March 11, 2006, 1:29 am

Yet another reason today was a good day. I got my promotion. To be honest, I felt I deserved this a year ago. But its hey its more money and a better title. When I consider what I started at and what I make now, it pretty incredible. But sometimes I think about what I’d get if I was willing to risk finding a new job…
My manager came by my office with the Employee Action Notice. She remembered that I have a query in Sharepoint to look for changes to the entry on the phone book amongst people in my department with a certain job title. Occasionally I get an alert about a new fax number, but generally any alert is about promotions. Last round of promotions, I was notified before the people receiving the promotion. So she came by before it got in the system.

Category: General  |  4 Comments

I Had a Bad Experience with the CIA, and now I’m going to show you my feminine side

March 11, 2006, 1:26 am

I got an email from a colleague today asking if I wanted to give a guest lecture over at the place on route 123 where if I tell you I have to kill you. He teaches a class to JHU Masters students there and he was asking if I’d like to come in and talk about some component of network security.
It sounds pretty dang cool. The idea scares me. I’m not much for public speaking. At least the first time in any new situation will cause me to be a bit nervous. So I think any time I get to practice that is a good thing.

Tags:
Category: General  |  Comment

Pen Test Challenge

March 11, 2006, 1:20 am

Part 3 of our Secure Operations project started today. And dont tell anyone but we’re hacking. Yes, that’s right. The thing that people get all upset about when they hear that Universities are teaching. Here’s the thing, we’re a group of Information Security professionals working on our Masters. We’re doing this all on a private network that we have to vpn to get to. I dont think we slogged through Z, Formal Methods, C++ and the Foundations of Computer Science just to go wild. This is minor league stuff compared to the hacking skills taught for a lot less money at Blackhat. Having some skills is the difference between being a complete security poser and someone who has their stuff together.
So I’ve been pretty happy. I dont know how many “kills” other people have. But AFAIK my server hasn’t been hit, and I’ve taken out some people I didn’t expect to get.

Category: General  |  Comment
« Previous Entries
Next Entries »