• Qualys BrowserCheck – nice client side security check tool http://bit.ly/ccAqMN #
• McAfee Risk Management; What threat data if they deploy only vulnerability managers and one correlation engine ? http://bit.ly/bWWGxD #
• New @NetWitness Visualize : Welcome To The Future! http://bit.ly/8XvbnX #
• FireEye and Solera Networks Partner to Provide In-depth Security Analytics for Proactive Cyber Attack Mitigation http://bit.ly/bAljDO #

Powered by Twitter Tools

I have already written about how awesome NetWitness is so I won't repeat what i said in this NetWitness review ; instead I would like to present you the most advanced network traffic visualization system I've ever seen, the NetWitness Visualize.

Imagine you need to file a report on all confidential PDF files which passed trough the network  between 1am and 3am on a Saturday morning. On a multi Gigabyte wire. And you only have one hour to file your report. What a nightmare!

Sorting trough terrabytes of data it is a daunting task to say the least and no matter what file carving tool you use, you still end up with hundreds of PDF files which have to be analyzed by hand.

Now, imagine you can swipe your fingers trough 1:1 renderization of all PDFs which were recorded between 1am and 3am just like Tom Cruise did in Minority Report movie. How cool is that.. in seconds you are able to spot classified watermarked blueprints and other juicy corporate documents.

NetWitness Visualize got it right about human perception of information. It will take a while until we, as humans will be able to read binary (remember Neo in Matrix, the movie?) and until then we need to examine the data reconstructed so that it reflects back  the reality captured in those zero and ones.

And even though I gave a visual example with the PDFs, the same applies to audio data as well. Wouldn't it be cool to be able to instantly listen to each VoIP conversation which was recorded during a 24hrs surveillance ops?  Again, NetWitness Visualize makes this real, only one click away. 

If you want to check for yourselves, there is a live demo of NetWitness Visualize on this website but I strongly recommend you to watch this short YouTube video first .

And, for a good laugh, try to listen to an easter-egg burried as a phone call conversation between the french president Nikolas Sarkozy and Sarah Palin. Sarkozy is singing about Joe the plumber which he takes for Palin's husband and that is priceless.

• fuzzdb : Attack and Discovery Pattern Database for Application Fuzz Testing http://bit.ly/aoerjm #
• Symantec Positioned as a Leader in Three Recent Magic Quadrants – Secure Email GW, SIEM and DLP http://bit.ly/aRrysP #
• Amazing new product by @imperva : File Security – Audit file rights and file access http://bit.ly/an1n72 #
• "GFI Software Acquires Sunbelt Software" ( http://bit.ly/c0mYdR ) #

Powered by Twitter Tools

• Angry researchers disclose Windows zero-day bug http://shar.es/mUibS #
• Google confirms attack on YouTube http://shar.es/mUigF #
• Antivirus Marketshare June 2010 Report — OESIS OK ( http://bit.ly/biB7AA ) #

Powered by Twitter Tools

• I always find inspiration and motivation reading biographies of successful people: @Qualys CEO Philippe Courtot http://bit.ly/9CmbVK #
• "Fidelis Security Systems Integrates Cyber Intelligence from Cyveillance to Provide Advanced Situational Awareness" ( http://bit.ly/9ywqt6 ) #
• nwmap v0.1 Released – Map Network From PCAP File ( http://bit.ly/9BNFEe ) #

Powered by Twitter Tools

I've just read today about the natural integration between Qualys and Imperva, two of the  vendors that I work with and I highly appreciate.

Timing is great for Imperva because the proactive services offered by Imperva's Discovery and Assessment Server had no real correspondence in web application world and that's why QualysGuard Web Application vulnerability scanner fits like a glove.

To put it in their words,

The integration of QualysGuard Web Application vulnerability scanner and Imperva’s SecureSphere Web Application Firewall (WAF) significantly reduces the need for disruptive patching of vulnerabilities. Organizations can use QualysGuard to scan their Web applications for vulnerabilities and then import the scan results into SecureSphere WAF. SecureSphere WAF provides instant mitigation for imported vulnerabilities using a “virtual patch,” which limits the window of exposure and reduces the security risk on the business.

On the other hand QualysGuard gets a couple of benefits suchs as :
- World wide recognition for it's new Web Application Scanner which is the latest addition to the QualysGuard scanner family .

- Sales support from Imperva's Channel . I know I will present this combination (Qualys and Imperva) to all my Imperva customers, whenever possible because I believe I's an effective web application security solution

Here is a short whitepaper (pdf) on this topic.

• RT @ArcSight "Entrepreneur of the Year" – Hugh Njemanze, ARST CTO & VP of R&D – new post from blogger Lisa Kost | http://bit.ly/9JKCWf #
• "Pro CERT – First Romanian Commercial CERT | Dragos Lungu Dot Com" ( http://bit.ly/9I00pF ) #
• RT @pentestit UPDATE: Maltego v3! – get it at – http://pentestit.com/2010/06/17/update-maltego-v3/ #
• RT @securitypro2009 MANDIANT Unveils Web Historian 2.0 http://bit.ly/dBLjL3 #

Powered by Twitter Tools

It brings me great pride and joy to announce the public release of Pro CERT ( Provision Computer Emergency Response Team), the first commercial CERT structure in Romania.

Quoting from Pro CERT RFC2550 charter :

Pro CERT is a project initiated and sponsored by Provision Software Division SRL, the largest privately owned Romanian IT security company.

"Pro CERT offers assistance and coordination in early detection and handling of computer and network security incidents for all it’s constituents. Pro CERT primary constituency include all networks and systems belonging to Provision Software Division SRL and it’s customers.A secondary goal in terms of constituency is represented by the Romanian TLD : .ro for which Pro CERT aims to be a certified  point of contact for incidents targeting or initiated from Romania.

Pro CERT is dedicated to preventing security incidents by offering direct proactive measures and security quality management services. Pro CERT operates under the authority of Provision’s Managed Security Services business division, which manages the operational authority between Pro CERT and each of its constituents trough individual SLAs. 

Pro CERT core activities imply close cooperation with all large ISP's abuse teams from Romania and abroad, direct contact and data exchange in order to prevent and recover from security incidents that affect Pro CERT’s constituents.

Pro CERT operates under the restrictions imposed by Romanian law. This involves careful handling of personal data as required by Romanian Data Protection laws, but it is also possible that – according to Romanian law – Pro CERT may be forced to disclose information due to a Court's order. "

Just like the Oscar winners, I would like to thank my team without whom none of this could have happened . It's a young project but we are very ambitious and we have set our goals high !  Please contact me directly,leave comments or register on www.pro-cert.ro  if you would like to cooperate with Pro CERT.

Please find below the opening presentation I gave on Provision Security Days conference about Pro CERT.
 

Do you like my presentation ? Thanks !

For a long time I wanted to write a review on GFI EventsManager 2010 and I'm glad I'm doing it because for me it's a very good example of software built the right way for the right job at the right time.

Having spent my last 5 years working with SIEM giants like ArcSight and RSA EnVision, I have experienced first hand the benefits and sometimes the downfall of  SIEM / ESM solutions.

GFI EventsManger takes a simple and robust aproach to log and event management and this is shown in the way it does the collection of data, the analysis, storage and reporting.

The collection of data is done agentless which is a big plus and the solution  can collect and process Windows events, W3C event logs, Syslog messages, SNMP Trap and SQL Server logs.  This allows one to collect more data from the different hardware and software systems that are most commonly available on a typical corporate network.

GFI EventsManager offers one of the best asset management interface allowing one to group assets (servers, workstations, netowrk devices) and quickly display events filtered by numerous criteria.

The list of supported devices can be found here (a bit outdated, needs an update to 2010 version) and it includes top vendors in all major security domains :access control, perimeter, endpoint , directory services, content filtering, IDS / IPS, operating systems and much more.

The solution uses two collection engines, the Event Retrieval Engine and the Event Receiving Engine which cover all supported log formats, either passively such as Syslog and SNMP or actively connecting systems handling W3C and Windows events.

Once the events have reached them main processing unit, GFI EventsManager will run a set of event processing rules on the collected events. The solution ships with a rich set of out-of-the-box rules such as :

• Classifying the events as Critical, High, Medium, Low or Noise (which are discarded)
• Filtering events based on specific criteria
• Triggering email, SMS and network alerts on key events
• Triggering remediation actions such as the execution of executable files or scripts on key events
• Optionally archiving collected events in the database backend.

GFI EventsManager uses a MS-SQL database backend which can quickly fill up so the solution provides functionality to disk-archive the main stream of events and save only the important alerts in the database.

Accessing the data is straight forward using Event Browsing which does a great job at presenting the events is an easy-to-read format. Event Browser can also be used as a forensics analysis tool because of it's ease of use in drilling into recorded events.

Reporting is done via  the GFI ReportCenter framework which offers consistent reporting features for many GFI products. There is a dedicated ReportPack for GFI EventManager which loads in the reporting framework so you can benefit from the framework powerful reporting features tailored to the specific data provided by EventManager.

Reports can be scheduled and can be sent by email or exported as to various formats including HTML, Adobe Acrobat (PDF), Excel (XLS), Word (DOC), and Rich Text Format (RTF).

Conclusion
GFI EventManager 2010 is a very efficient and effective log and event management tool which covers most of the daily security monitoring activities. However, there is room for expanding this product by adding support for more log formats (ODBC, flat text, vendor specific protocol like CheckPoint OPSEC, etc). Also event normalization and aggregation could improve the in-memory correlation for more complex AI alerts .

Licensing is very affordable for this class of products and it's based on number of nodes reporting events. Also, don't forget that you can always download a full working evaluation version from here .

• SC Magazine US awards perfect score to Netgear ProSecure. Good content filtering for less than 3k USD . Cool ( http://bit.ly/aDzC5M ) #
• RT @agent0×0 RT @securitymonks: RIPS – A static source code analyser for vulnerabilities in PHP scripts http://goo.gl/H65C #

Powered by Twitter Tools

I just received today a phishing email which had an HTML attachment and of course it asked me to click the attached file.

By opening the attached file as text I noticed it's packed with scrambled / encoded JavaScript which unfortunately I don't speak fluently.

I have uploaded the file on my webserver and I scanned with QualysGuard Malware Detection service which runs the discovered malware in a sandbox OS to detect the effects on an ordinary PC but unfortunately I didn't get any results.

By unscrambling some URLs I found remote calls to http://onnoe.ru:8080/index.php?pid=10 which gave me a hint that this malware might be used as trojan / botnet harvester.

So, I would appreciate if anybody could take a look at the malware JavaScript and share the results with me .. I'm extremely curious on what it does.

Anyways, here is the culprit JS code saved as txt.

Thank you!

• dotDefender busted by Sandro Gauci of EnableSecurity ( http://bit.ly/cLN9Uy ) #
• RT @Hfuhs: Wordpress user: Be careful where you get your theme from – http://fuhs.eu/16h #
• RT @Imperva: History of Hacking in One Cool Graphic http://bit.ly/bQYUim #
• attending Provision Security Days at seaside in Olimp, Romania .. cold, windy. Hopefully that will keep the guests focused on the conference #
• Just released Pro CERT : ProVision Computer Emergency Response Center http://slidesha.re/cMYcDC #

Powered by Twitter Tools

• "Patch management for non-Microsoft software products with new release of GFI LANguard" ( http://bit.ly/9CcODJ ) #
• "BBC News – First human 'infected with computer virus'" ( http://bit.ly/96Lhg4 ) .. amazing ! #

Powered by Twitter Tools

• RT @mikkohypponen: Romanian Dpt of Investigation of Organized Crime took down another online criminal gang (video): http://bit.ly/bSc6yq #
• RT @GFISoftware: Competiton time! 4 NAS drives left to be won this week. Win a NAS with GFI Software http://bit.ly/9eQ7b2 Pls RT #
• Reading: "SNOsoft Research Team" ( http://bit.ly/bCWomW ) .Reverse Blind SQL Injection aka smart way to bypass WAFs . Kudos ! #
• "SecureSphere Virtual Appliances" ( http://bit.ly/d3TChJ ) Thank you @imperva I had to turn down many customer requests until today #

Powered by Twitter Tools

• happily ending first day of teaching EC-Council CEH class at New Horizons Training Center Romania http://bit.ly/ady3s5 #

Powered by Twitter Tools

• just finished 2 sessions of @imperva tech presentations which went great.. feeling dizzy though. #
• just did some testing with breakingpoint and @Imperva . Both are able to perform well IF configured properly. #
• @fmavituna it held up pretty well but it also depends how much you push the BreakingPoin't throttle. No mythbuster's epic ending though in reply to fmavituna #
• having fun MythBuster style: @breakingpoint can bring hell on net.. 50k TCP sessions running at 800Mbps smashed one DB security appliance. #

Powered by Twitter Tools

• Looking for a banking fraud management solution (mainly Oracle systems). Any recommendations based on real-life experience ? Thank you ! #
• "The Case Against Apple–in Five Parts « The Jason Calacanis Weblog" ( http://bit.ly/45L0Lx ) .. old but gold. #
• Reading: "Attack of the Opt-In Botnets | Zero Day | ZDNet.com" ( http://bit.ly/b5zu4n ) #
• SKIPFISH Review http://bit.ly/aW5dTW #

Powered by Twitter Tools

On Mar 19, on Friday morning, Michal Zalewski announced on Google Security Blog : "Meet skipfish, our automated web security scanner" and this had to be taken seriously.

Recently I've seen a lot  of free  "web malware scanners", some of them released by prestigious security vendors , *cough* Qualys *cough* and some of them released by unknown -to me at least – developers of WP-Secure Plugin for Wordpress  SiteSecurityMonitor.com .

Google developers took a different approach and they built an ol' school console application written in pure C which is lighting fast and thanks to it's asynchronous processing is able to inject hundreds of HTTP requests / second.

The source code is released under Apache license and it's available for download here.

I don't have a Linux box available right now to make it and test it myself but the documentation surely fires up your interest on the features implemented in skipfish: Server-side SQL injection, Integer overflow vulnerabilities, Stored and reflected XSS, MIME Manipulation, HTTP credentials in URLs, Unexpected response variations and many many others. 

We owe a big thanks to the Google security team and I hope skipfish will be developed further.

This week, The winners of the 2010 SC Awards U.S. were announced in San Francisco. I am very happy to see that I work with the winning vendor from almost all categories which I specialize in.

Without further ado, here is the complete list :

Best computer forensics solution

Winner: Guidance Software for EnCase Forensic

Finalists 2010

• ArcSight for ArcSight Logger
• Guidance Software for EnCase Forensic
• NetWitness for NetWitness NextGen 9.0
• Quest Software for Quest ChangeAuditor
• Solera Networks for Solera DS Network Forensics Appliances

Best SIM/SIEM solution

Winner: ArcSight for ArcSight Enterprise Security Manager (ESM)

Finalists 2010

• Alert Logic for Log Manager
• ArcSight for ArcSight Enterprise Security Manager (ESM)
• IBM for Tivoli Security Information and Event Manager
• Q1 Labs for QRadar SIEM
•  RSA Security for RSA enVision Platform
• Tenable Network Security for Tenable's Security Center 3.4 with Log Correlation Engine 3.2
• TriGeo Network Security for TriGeo SIM

Best vulnerability management solution

Winner: Qualys for QualysGuard

Finalists 2010

• Core Security Technologies for CORE IMPACT Pro
• eEye Digital Security for Retina Network Security Scanner
• Microsoft Corp. for Forefront Threat Management Gateway
• Qualys for QualysGuard
• Tenable Network Security for Tenable Security Center 3.4 with Nessus 4.0, Log Correlation Engine (LCE) 3.2 and Passive Vulnerability Scanner (PVS) 3.0
• TippingPoint Technologies for TippingPoint Intrusion Prevention System (IPS)

Best web application security solution

Winner: F5 Networks for BIG-IP Application Security Manager

Finalists 2010

• Barracuda Networks for Barracuda Web Application Firewall
• Breach Security for WebDefend
•  F5 Networks for BIG-IP Application Security Manager
• TippingPoint Technologies for TippingPoint's Intrusion Prevention System (IPS)
• VeriSign for VeriSign Extended Validation (EV) Secure Sockets Layer (SSL) Certificates
• WhiteHat Security for WhiteHat Sentinel

Read here the complete list of winners . I only wish it was an additional  category named "Database Security" so I could see Imperva listed as well

For the past 1 month I lost contact with Infosec world and I was quite surprised today to discover 3 new services offered by Qualys :

QualysGuard Malware Detection - A Free service for everyone
By scanning the code of the public web applications / websites, Qualys is able to detect malware code snippets and , most important, it can issue alarms when malicious code is found.

Qualys FreeScan – A Free Vulnerability Scanner Tool
Think of it as a complete QualysGuard scan for one single IP. It's a good way to try before you buy and a sample report is provided.

Qualys GOSECURE - A Security Seal which confirms that a certain website is maintaining a rigorous and proactive security program .
This service takes a composite approach and performs an extensive scan of a website including: perimeter vulnerability scanning, specific web application vulnerability scanning, malware detection and SSL certificate validation. If everything is ok, Qualys issues a badge which certifies the website security.

I wish them luck with the new service range and hopefully efforts like this will reduce the online threats posed by infected websites!,