Call trans opt: receveid. 9-18-99 14:32:31 REC:log>
WARNING: carrier anomaly
Trace program: running
> Welcome
38.107.191.97
17.03.2010 - 06:56 (05:56 GMT)
5orry, you have... NO MAIL.
Forming an Incident Response Team
Published on 1995-01-01 - by Danny Smith, ©AusCERT
Forming an Incident Response Team (IRT) in the 1990s can be a daunting task. Many people forming an IRT have no experience with doing this. This paper examines the role an IRT may play in the community, and the issues that should be addressed both during the formation and after commencement of operations. It may be of benefit to existing IRTs as it may raise awareness of issues not previously addressed.
File info:
- Source: www.auscert.org.au
Building Secure Applications: Consistent Logging
Published on 2007-02-26 - by Rohit Sethi and Nish Bhalla, ©SecurityFocus
This article examines the dismal state of application-layer logging as observed from the authors’ years of experience in performing source code security analysis on millions of lines of code. It argues that effective logging is often ignored in the push for application security and demonstrates how applications can benefit from a real-time detection of attacks. An idea of a practical implementation is discussed, along with an examination of some of the associated risks and costs.
File info:
- Source: www.securityfocus.com
Detect Your Web Application’s Vulnerabilities Early with Ruby
Published on 2007-01-29 - by Shreeraj Shah, ©Jupitermedia Corporation
Web application fuzzing is a method of detecting a web application’s vulnerabilities prior to deploying the application on a production system. Users of this approach send several malicious requests to the application and, based on the responses received, determine the application’s security posture. Users also can apply fuzzing to perform tests on several different attack vectors such as SQL, XPATH, and LDAP injection, and error handling.
File info:
- Source: www.devx.com
Characteristics of Network Traffic Flow Anomalies
Published on 2001 - by Paul Barford and David Plonka, ©Paul Barford and David Plonka
One of the primary tasks of network administrators is monitoring routers and switches for anomalous traffic behavior such as outages, configuration changes, flash crowds and abuse. Recognizing and identifying anomalous behavior is often based on ad hoc methods developed from years of experience in managing networks. A variety of commercial and open source tools have been developed to assist in this process, however these require policies and/or or thresholds to be defined by the user in order to trigger alerts. The better the description of the anomalous behavior, the more effective these tools become. In this extended abstract we describe a project focused on precise characterization of anomalous network traffic behavior.
File info:
- Source: www.imconf.net
Intrusion-Detection Model (An)
Published on 1987 - by Dorothy E. Denning, ©IEEE
A model of a real-time intrusion-detection expert system capable of detecting break-ins, penetrations, and other forms of computer abuse is described. The model is based on the hypothesis that security violations can be detected by monitoring a system’s audit records for abnormal patterns of system usage. The model includes profiles for representing the behavior of subjects with respect to objects in terms of metrics and statistical models, and rules for acquiring knowledge about this behavior from audit records and for detecting anomalous behavior. The model is independent of any particular system, application environment, system vulnerability, or type of intrusion, thereby providing a framework for a general-purpose intrusion-detection expert system.
File info:
Exploiting the Otherwise Unexploitable on Windows
Published on 2006 - by skywing, skape, ©Uninformed
This paper describes a technique that can be applied in certain situations to gain arbitrary code execution through software bugs that would not otherwise be exploitable, such as NULL pointer dereferences. To facilitate this, an attacker gains control of the top-level unhandled exception filter for a process in an indirect fashion. While there has been previous work illustrating the usefulness in gaining control of the top-level unhandled exception filter, Microsoft has taken steps in XPSP2 and beyond, such as function pointer encoding, to prevent attackers from being able to overwrite and control the unhandled exception filter directly. While this security enhancement is a marked improvement, it is still possible for an attacker to gain control of the top-level unhandled exception filter by taking advantage of a design flaw in the way unhandled exception filters are chained. This approach, however, is limited by an attacker’s ability to control the chaining of unhandled exception filters, such as through the loading and unloading of DLLs. This does reduce the global impact of this approach; however, there are some interesting cases where it can be immediately applied, such as with Internet Explorer.
File info:
- Source: www.uninformed.org
Know your Enemy: Web Application Threats
Published on 2007-02-07 - by Jamie Riden, Ryan McGeehan, Brian Engert, Michael Mueter, ©Jamie Riden, Ryan McGeehan, Brian Engert, Michael Mueter
With the constant growth of the Internet, more and more web applications are being deployed. Web applications offer services such as bulletin boards, mail services such as SquirrelMail, online shops, or database administration tools like PhpMyAdmin. They significantly increase the exposed surface area by which a system can be exploited. By their nature, web applications are often widely accessible to the Internet as a whole meaning a very large number of potential attackers. All these factors have caused web applications to become a very attractive target for attackers and the emergence of new attacks. This KYE paper focuses on application threats against common web applications. After reviewing the fundamentals of a typical attack, we will go on to describe the trends we have observed and to describe the research methods that we currently use to observe and monitor these threats. In Appendix A, we give actual examples of a bot (a variant of PERL/Shellbot), the Lupper worm and an attack against a web Content Management System (CMS) as examples that show how web application threats actually act and propagate.
File info:
- Source: www.honeynet.org
One of These Things is not Like the Others: The State of Anomaly Detection
Published on 2002-07-01 - by Matthew Tanase , ©SecurityFocus
"To some, our observations can be summarized succinctly as "bugs happen". That certainly is not news. But dismissing our results so cavalierly misses the point. Yes, bugs happen. But bugs can be fixed -if they are detected. The Internet is, as a whole, working remarkably well. Huge software packages (i.e., X11R5) can be distributed electronically. Connections span the globe. But the very success of the Internet makes some bugs invisible." - Steven Bellovin
File info:
- Source: www.securityfocus.com
Packet vs Flow-Based Anomaly Detection
Published on 2005 - by Esphion Ltd., ©Esphion Ltd.
Operators of mission critical networks employ a variety of strategies to ensure uptime and availability. For network security, firewalls and intrusion prevention systems (IPSs) may be utilized, along with performance measurement tools and network infrastructure health monitoring systems.
File info:
- Source: www.esphion.com
Design and Implementation of an Anomaly Detection System: an Empirical Approach
Published on 2007 - by Gaia Maselli, Luca Deri, Stefano Suin, ©Gaia Maselli, Luca Deri, Stefano Suin
Network management platforms provide flexible facilities for setting up custom applications able to detect network anomalies on a specific environment. This is because each network is made of users, services and computers with a speciffic behaviour that is then reflected in the generated network traffic.
File info:
- Source: http://luca.ntop.org/
Anomaly Detection in IP Networks
Published on 2003 - by Marina Thottan and Chuanyi Ji, ©IEEE
Network anomaly detection is a vibrant research area. Researchers have approached this problem using various techniques such as artificial intelligence, machine learning, and state machine modeling. In this paper, we first review these anomaly detection methods and then describe in detail a statistical signal processing technique based on abrupt change detection.We show that this signal processing technique is effective at detecting several network anomalies. Case studies from real network data that demonstrate the power of the signal processing approach to network anomaly detection are presented. The application of signal processing techniques to this area is still in its infancy, and we believe that it has great potential to enhance the field, and thereby improve the reliability of IP networks.
File info:
Host-Based IDS vs Network-Based IDS (Part 1)
Published on 2003-07-10 - by Ricky M. Magalhaes, ©TechGenix Ltd.
This white paper will highlight the association between Network Based and Host based intrusion detection. A product comparison will be incorporated in a following white paper part 2 to assist in the selection of the appropriate IDS for your organization. Important facts and consideration will be highlighted to assist when selecting a sound intrusion detection system. This white paper will give you a better understanding of the differences between NID and HIDS and will highlight the strengths and weaknesses of both concurrently extending your knowledge and increasing your understanding of the IDS systems.
File info:
- Source: www.windowsecurity.com
Wireless Intrusion Detection Systems
Published on 2004-10-18 - by Ken Hutchison, ©SANS Institute
Hewlett Packard tells us that 31 Million users worldwide will be accessing public wireless networks by 2007.
It is clear that wireless solutions are transforming the way we work and live. Employees are able to keep in touch with their e-mail, calendar and employer from mobile devices, while wireless applications such as Radio Frequency Identification (RFID) Smart Tags are, for example, transforming the way luggage is handled at airports, the way public transport is managed and even tracking cattle to help prevent future bovine disease! Using wireless enabled devices, it is already possible to access the internet from public areas such as coffee shops, hotels and motorway rest stops. All of this is possible through the use of Wireless Local Area Networks (WLAN’s).
File info:
- Source: www.sans.org
Wireless Intrusion Detection Systems
Published on 2003-11-05 - by Jamil Farshchi , ©SecurityFocus
Threats to wireless local area networks (WLANs) are numerous and potentially devastating. Security issues ranging from misconfigured wireless access points (WAPs) to session hijacking to Denial of Service (DoS) can plague a WLAN. Wireless networks are not only susceptible to TCP/IP-based attacks native to wired networks, they are also subject to a wide array of 802.11-specific threats. To aid in the defense and detection of these potential threats, WLANs should employ a security solution that includes an intrusion detection system (IDS). Even organizations without a WLAN are at risk of wireless threats and should consider an IDS solution. This paper will describe the need for wireless intrusion detection, provide an explanation of wireless intrusion detection systems, and identify the benefits and drawbacks of a wireless intrusion detection solution.
File info:
- Source: www.securityfocus.com
Wireless Intrusion Detection and Response
Published on 2003 - by Yu-Xi Lim, Tim Schmoyer, ©Georgia Institute of Technology
A prototype implementation of a wireless intrusion detection and active response system is described. An off the shelf wireless access point was modified by downloading a new Linux operating system with non-standard wireless access point functionality in order to implement a wireless intrusion detection system that has the ability to actively respond to identified threats. An overview of the characteristics and functionality required in a wireless intrusion detection system is presented along with a review and comparison of existing wireless intrusion detection systems and functionalities. Implemented functionality and capabilities of our prototyped system are presented along with conclusions as to what is necessary to implement a more desirable and capable wireless intrusion detection system.