Performance Measurement Guide for Information Security

NIST is pleased to announce the release of NIST Special Publication 800-55, Revision 1, Performance Measurement Guide for Information Security. This publication provides assistance in the developing, selecting, and implementing security performance measures to be used at the information system and program levels. These measures indicate the effectiveness of security controls applied to information systems and supporting information security programs.

Click here to download the PDF.


USB Snoop: A USB Sniffer

USBSnoop is a program (driver) that logs the USB data exchange between hardware and device driver. Best part is, it is OPEN SOURCE.

It is based on the WDM architecture (Windows Driver Model), which supports the insertion of a filter between device drivers. In this case, the filter itself is a driver.

Also, it is very easy to install. All you need to do is copy the driver to your ‘drivers’ directory (normally c:\windows\system32\drivers for Windows XP & c:\WINNT\system32\drivers for Windows 2000). Then, you need to configure the sniffer front-end sniffusb.exe and then use the device that needs to be sniffed. This program saves the logs in your Windows drive with the name usbsnoop.log

This application is compatible with Windows 98, Windows 2000, Windows XP.

Download the latest version (though not updated in a LONG time) here (version 1.8).


Found on

DNS Exploit in the Wild

We’ve been tracking Metasploit commits since Matasano’s premature publication of [Dan Kaminsky]’s DNS cache poisoning flaw on Monday knowing full well that a functional exploit would be coming soon. Only two hours ago [HD Moore] and [I)ruid] added a module to the Metasploit Project that will let anyone test the vulnerability (with comment: “ZOMG. What is this? >:-)“). [HD] told Threat Level that it doesn’t work yet for domains that are already cached by the DNS server, but it will automatically wait for the cached entry to expire and then complete the attack. You can read more about the bailiwicked_host.rb module in CAU’s advisory. For a more detailed description of how the attack works, see this mirror of Matason’s post. You can check if the DNS server you are using is vulnerable by using the tool on [Dan]’s site.

From Hack-a-Day.

iPhone Forensics

iPhone Forensics gives IT professionals, security personnel, and law enforcement the knowledge needed to conduct forensic analysis of an iPhone. This book shows the reader how to recover sensitive information from the device and perform disaster recovery, and walks the reader through various scenarios for recovering different types of information. With this guide, the reader will be able to effectively recover live, lost, or deleted email, photos, voicemail, Google Maps searches, typing cache, and other sensitive data retained by the iPhone. The reader will learn advanced techniques including data recovery, properly preserving and preparing evidence, and technical techniques such as bypassing basic passcode security or recovering data even after a full restore (by say, a disgruntled employee). Finally, the reader will learn how to properly wipe an iPhone clean of all data for resale or reissue – something Apple’s own restore process fails to do.

iPhone Forensics: Rough Cuts Version from O’Reilly

Most influential movie of my life: Wargames

For me, the inspiration for the project was a TV special Peter Ustinov did on several geniuses, including Hawking. I found the predicament Hawking was in fascinating — that he might one day figure out the unified field theory and not be able to tell anyone, because of his progressive ALS. So there was this idea that he’d need a successor. And who would that be? Maybe this kid, a juvenile delinquent whose problem was that nobody realized he was too smart for his environment. That resonated with Walter. So I said, let’s actually go talk to people about how a kid could get in trouble and get discovered by a brainy scientist and take it from there.

Wargames was one of my favorite movies.  I was just getting into hacking and phreaking at the time while running a BBS.  I soon found my self at 2600 meetings and eventually getting interviewed by the feds (it wasn’t a job interview).  The only movie that comes close is Sneakers.  Wired has done a great job digging up some great interviews, and while I usually roll my eyes when Mitnick gets interviewed, he was impacted directly with this movie:

Mitnick: That movie had a significant effect on my treatment by the federal government. I was held in solitary confinement for nearly a year because a prosecutor told a judge that if I got near a phone, I could dial up Norad and launch a nuclear missile. I never hacked into Norad. And when the prosecutor said that, I laughed — in open court. I thought, “This guy just burned all his credibility.” But the court believed it. I think the movie convinced people that this stuff was real. They tried to make me into a fictional character.

Read the full article.

The Internet is Broke – Check your DNS server to see if your vulnerable

Wow. It’s out. It’s finally, finally out.


So there’s a bug in DNS, the name-to-address mapping system at the core of most Internet services. DNS goes bad, every website goes bad, and every email goes…somewhere. Not where it was supposed to. You may have heard about this — the Wall Street Journal, the BBC, and some particularly important people are reporting on what’s been going on. Specifically:

1) It’s a bug in many platforms

2) It’s the exact same bug in many platforms (design bugs, they are a pain)

3) After an enormous and secret effort, we’ve got fixes for all major platforms, all out on the same day.

4) This has not happened before. Everything is genuinely under control.

I’m pretty proud of what we accomplished here. We got Windows. We got Cisco IOS. We got Nominum. We got BIND 9, and when we couldn’t get BIND 8, we got Yahoo, the biggest BIND 8 deployment we knew of, to publicly commit to abandoning it entirely.

It was a good day.

CERT has details up, and there’s a full-on interview between myself and Rich Mogull up on Securosis.  For the non-geeks in the audience, you might want to tune out here, but this is my personal blog and I do have some stuff to mention to the crew.

Read more from the man of the hour, Dan Kaminsky.  You can check to see if your nameserver is vulnerable at DoxPara.  Word is he will be release details of this vulnerablilty at BlackHat in a few week.