faulker051

Here is another cool tool release from The Honeynet Project : Cuckoo Box by Claudio Guarnieri. Cuckoo is a binary analysis sandbox, designed and developed with the general purpose of automating the analysis of malware. Read more about the tool here , grab the tool here – but please read detailed setup guide here (make sure to read it!). BTW, this tool is really well-documented, so make use of it before deploying it. Cuckoo is a lightweight solution that performs automated dynamic analysis of provided Windows binaries. It is able to return comprehensive reports on key API calls and network activity. Current features are: Retrieve files from remote URLs and analyze them. Trace relevant API calls for behavioral analysis. Recursively monitor newly spawned processes. Dump generated network traffic. Run concurrent analysis on multiple machines. Support custom analysis package based on AutoIt3 scripting. Intercept downloaded and deleted file...

Two of my esteemed colleagues, Misha Govshtein of AlertLogic and Raffael Marty of Loggly had a bit of an argument over something fairly central to logging and log management , especially as it applies to the coming cloud wave. Let’s review what happened. In 2010, AlertLogic  folks have submitted an IETF draft of what they called “Syslog Extension for Cloud Using Syslog Structured Data”. Draft is available here and AlertLogic team explanation of its mission and purpose can be found here and  here (unfortunately in MP3 form). The draft reads as if they are proposing a new cloud log standard since the very first sentence of the document is: “ This document provides an open and extensible log format to be used  by any cloud entity or cloud application to log and trace activities  that occur in the cloud .” Said draft has found its way to the CEE Editorial Board (via IETF list message ) and has caused some interest and, dare I say, unrest. And some disagreement...

LogChat Podcast is back again – sorry for a brief delay ! Everybody knows that all this world needs is a podcast devoted to logs, logging and log management (as well as SIEM, incident response and other fun related subjects). And now you have it AGAIN with edition #5 - through the sheer combined genius of Andrew Hay and myself, Anton Chuvakin . Our topic today is scaling and sizing log management and SIEM: scalability, sizing, estimating log volumes, hard EPS limits (evil!), scalability of the entire system vs component scalability, peak vs ongoing log rates, EPS, petabytes of logs, “ log math ”, capacity planning as well as how to “slap your vendor” (obviously, a quote is from Andrew, not myself ) in regards to the scalability of their tools. Some administrative items: We plan for this to happen periodically, such as maybe every three weeks - recorded on Wednesday, posted on Thursday. However, due to our work schedules, irregularities occur all the time. If you have not seen or hear...

As promised, I will be reposting some of the cool new announcements from The Honeynet Project here on my blog since I now serve as Project’s Chief PR Officer . Here is one more: a release of a new tool called PhoneyC , a virtual client honeypot. PhoneyC is a virtual client honeypot, meaning it is not a real application (that can be compromised by attackers and then monitored for analysis of attacker behavior), but rather an emulated client, implemented in Python. The main thing it does is scour web pages looking for those that attack the browser. It can be run, for example, as: $ python phoneyc.py -v www.google.com By using dynamic analysis, PhoneyC is able to remove the obfuscation from many malicious pages. Furthermore, PhoneyC emulates specific vulnerabilities to pinpoint the attack vector. PhoneyC is a modular framework that enables the study of malicious HTTP pages and understands modern vulnerabilities and attacker techniques. Download version 0.1 (a con...

Love those easy unscientific quizzes you see all over the Internet? Here is one such quiz on LOGGING and LOG MANAGEMENT that I created specially for LogManagementCentral . Go check what you really know about logs and figure out whether you are a mere bunny logger or a log management ninja. Result scales: Bunny logger (score of 10%) Eager log beaver (score of 20 – 40%) I know my way around logs (score of 50 – 70%) I changed my name to “Log Logger” (score of 80 – 90%) Log management ninja (score of 100.00% and nothing less!) Don’t be afraid … I did put a couple of tricky questions in there .

At one of the first security conferences I ever attended (probably in 2001 or so), there was this vendor dude who would not stop rambling about continuous compliance. I listened to him and it suddenly dawned on me: what an awesome idea! Running a security-focused, ongoing, multi-regulation program that delivers value to both business units and reduces risk – what’s not to love here? However, over the years I’ve gotten more cynical on this matter; we all know our beloved security industry does this to people As I said in my infamous “ Top PCI DSS Security Marketing Annoyances ”, ““Ongoing compliance” theme is awesome. Sadly, a majority of your customers [ I was addressing security vendors in that post – A.C. ] don’t do it like this (to their own loss – this why it is sad). They still have assessment-time rush, pleasing the assessor approach and checklist-oh-we-are-DONE! mentality. If you want to sell continuous compliance, you need to educate them first! ” Despite such sentiment, I...

Blogs are "stateless" and people often pay attention only to what they see today . Thus a lot of useful security reading material gets lost.  These monthly round-ups is my way of reminding people about interesting blog content. If you are “too busy to read the blogs,” at least read these . So, here is my next monthly "Security Warrior" blog round-up of top 5 popular posts/topics this month. The hilarious “ Top 10 Things Your Log Management Vendor Won't Tell You ”, written for LogManagementCentral , reign supreme  this month! Read, laugh, weep…log. My PCI DSS log review procedures that I created for a consulting client and started posting on the blog (sanitized, of course!)  took the top spot again: the first post “ Complete PCI DSS Log Review Procedures, Part 1 ” and the whole series “ PCI_Log_Review ” are expected to be useful to most large organization  under PCI DSS as well as other regulations To my great excitement, “ To...