Keeping up in Information Security is a Red Queen's race. Personally, I follow hundreds of blogs through RSS, and hundreds of "securitytwits" on Twitter, just to keep up.

There were many interesting articles in 2009.  I have gone through the ones that I've shared on Google Reader (an interesting walk down memory lane) and created a list of my ten favorite must-read InfoSec articles from 2009.  These are articles that either changed or solidified my thinking on a particular area of InfoSec.  They are listed below in no particular order:

Marking alerts as "handled" is an important feature of Security Event Management (SEM) systems.  This is necessary to support an intrusion detection workflow as well as to demonstrate compliance.  Unfortunately the open source edition of Prelude does not support this natively.

In order to add this functionality to Prelude, I have leveraged MySQL triggers to "archive" alerts to a separate database when they are deleted.  This has the advantage of creating a database of "handled" events using the native Prelude delete GUI without modifying the Prelude application.  The down side is that no additional "meta" information is recorded such as who handled the alert, what determination was reached, etc.  Anyone interested in that may want to look into the commercial version of Prelude with ticketing support.  If a simple solution is what you need, read on for details of how I set it up.

I have been exploring multiple configurations using open source software to generate, store, and review security-relevant information.  The solution I am working on is comprised of Log-based Intrusion Detection (LIDS), Host-based Intrusion Detection (HIDS), and Network-based Intrusion Detection (NIDS) combined with a Security Information Management (SIM) tool.

Google recently released the source code to Chromium OS, the community version of what will eventually be released as Chrome OS.  Compiled virtual machines are available from gdgt and over bittorrent.

Several resources are available from Google to learn more about the current and future of security in Chromium/Chrome OS.  These include a security overview page, and security video.

It is important to note that this "new" OS is really a new Linux distribution that uses Ubuntu 9.10 "Karmic Koala" as it's upstream release.  It appears that Canonical, the company behind Ubuntu Linux, may be partnered with Google to produce Chrome OS.

Below I've included a beginning look at security in the new Google Chromium OS.

On Roger's Information Security Blog, Roger posted an article about the challenges in getting his company to remove local admin rights from their users. It got me thinking about the issue, and how problems with administrative rights extend beyond just Information Security. Here is a list of arguments for using limited user accounts that I came up with:

Benefits:

• Limits the impact of viruses, worms, and other malicious software

First, I'd like to congratulate Billy Rios, Nate McFeters, Rob Carter, and John Heasman as the GIFAR Java attack was selected as the top web hacking attack technique for 2008.  I had the opportunity to meet Nate McFeters at a STLSec event, and I was impressed by how down to earth and knowledgeable he is. 

Second, through the post on Jeremiah's blog I learned of this post by Billy Rios.  It contains a great write-up of a practical attack using GIFARs, using Google as an example.

Finally, Sun has patched this particular attack vector.  The Sun advisory is #244988.  This is patched as of versions JDK and JRE 6 Update 11, JDK and JRE 5.0 Update 17, and SDK and JRE 1.4.2_19.

Security researcher Moxie Marlinspike presented a new vector of attack against HTTPS using Man in the Middle (MitM) attacks against SSL web sites, and an updated version of his sslstrip tool (not yet posted), at BlackHat DC.  You can watch the video of his presentation, and there is also an interview with Moxie and BlackHat organizer Jeff Moss.  Although some journalists have gotten the point of his presentation right - such as this article by George Ou -  many have not, and there is a lot of confusion about what Moxie actually presented.  Below I present my analysis of his presentation and what it means to us as security practitioners.

Researchers at the Chaos Computer Club in Moscow just published results of their research into MD5 collisions for x.509 Certificate Authorities.  By exploiting weaknesses in RapidSSL's certificate request implementation, they were able to successfully create a valid Intermediate CA certificate trusted by 99+% of browsers.  Combined with a man in the middle (MitM) attack such as the Kaminski DNS finding, this would truly break some of the fundamental trust models on the Internet.

Research paper here: http://www.win.tue.nl/hashclash/rogue-ca/

Demo site here: https://i.broke.the.internet.and.all.i.got.was.this.t-shirt.phreedom.org/

There are a couple of interesting related findings from this presentation:

Just saw this today on LifeHacker:
Bypass Network Blocks with Remote Desktop
"In a world of virtual communication, having personal email, Twitter, and access to blogs, etc is critical and necessary for many of us. Therefore, it becomes a nuisance when our employers block us from the sites that we love and hold so close to our virtual-loving-hearts." [. . .] "I recommend this for anyone who has that tight network administrator who has blocked all your favorite sites."

This isn't the first time I've seen bypass the firewall articles, nor is it even the most technically adept (most networks would block tcp/3389 inbound and outbound).  However, I think the language of the article speaks directly to the attitudes of the "digital natives" generation.  People, used to near-ubiquitous connectivity, are willing to bypass restrictions (and rules!) to get their Internet fix.  The following are some ideas for addressing this trend.

I wrote previously about the need to find ways to increase security without (much) spending.  I'd like to use this first post in the series to highlight two areas in which you may be able to find additional server resources, which may be necessary for some of the future ideas in the series.