CERT/CC Blog

CNAME flux

Thu, 05 Jan 2012 16:15:00 -0500

Hello this is Jonathan Spring. Recently, Leigh Metcalf and I uncovered some interesting results in our continuing work on properties of the Domain Name System (DNS). Our work involves an unconventional use of CNAME (canonical name) records. Besides an IP address, CNAME records are the only other location a domain may have in the DNS. Instead of an IP address, a CNAME record is a redirection or alias service that points to another name.

Challenges in Network Monitoring above the Enterprise

Fri, 23 Sep 2011 10:06:00 -0500

Recently George Jones, Jonathan Spring, and I attended USENIX Security '11. We hosted an evening Birds of a Feather (BoF) session where we asked a question of some significance to our CERT^® Network Situational Awareness (NetSA) group:

Is Large-Scale Network Security Monitoring Still Worth Effort?

Signed Java and Cisco AnyConnect

Thu, 09 Jun 2011 13:35:13 -0500

A few years ago, I published a blog entry called Signed Java Applet Security: Worse than ActiveX? In that entry, I explained the problems that arise when a vulnerability is discovered in a signed Java applet. Let's see how the Cisco AnyConnect vulnerability is affected.

Effectiveness of Microsoft Office File Validation

Thu, 19 May 2011 14:26:00 -0500

Microsoft recently released a component for Office called Office File Validation that is supposed to help protect against attacks using malformed files. Because I recently performed file fuzzing tests on Microsoft Office, I decided to test the effectiveness of Office File Validation.

A Security Comparison: Microsoft Office vs. Oracle Openoffice

Wed, 13 Apr 2011 14:52:00 -0500

Recently, Dan Kaminsky published a blog entry that compared the fuzzing resiliency of Microsoft Office and Oracle OpenOffice. This blog entry contains the results from a similar test that I performed in November 2010. Also included are some other aspects of the Office suites that can affect the software's security.

Announcing the CERT Basic Fuzzing Framework 2.0

Mon, 28 Feb 2011 15:53:00 -0500

Version 2.0 of the CERT Basic Fuzzing Framework (BFF) made its debut on Valentine's Day at the 2011 CERT Vendor Meeting in San Francisco. This new edition has a lot of cool features that we'll be describing in more detail in future posts, but we wanted to let you know that it's available so that you can download and try it.

"Network Monitoring for Web-Based Threats" released

Mon, 14 Feb 2011 13:32:00 -0500

The CERT Network Situational Awareness (NetSA) team, specifically our talented and hard-working intern Matthew Heckathorn under Sid Faber's guidance, has published an SEI Technical Report on monitoring web-based threats.

Blog reorganization

Fri, 11 Feb 2011 15:01:00 -0500

Hi, folks. As you can see, we've changed the name of the Vulnerability Analysis Blog to the CERT/CC Blog. With this name change, we're expanding the focus of the blog to include content from other technical teams.

CERT Basic Fuzzing Framework Update

Wed, 22 Sep 2010 11:26:00 -0500

Hi, folks. We've recently updated the CERT^® Basic Fuzzing Framework (BFF). The new BFF 1.1 contains new functionality and improves performance.

Study of Malicious Domain Names: TLD Distribution

Tue, 31 Aug 2010 14:28:00 -0500

Hello, folks. This post comes to you courtesy of Aaron Shelmire from the Network Situational Awareness team. Aaron writes:

Recently the Network Situational Awareness team at CERT has been researching the characteristics of malicious network touchpoints. The findings of this initial research are very telling as to the true state of security on the internet.

CERT Basic Fuzzing Framework

Wed, 26 May 2010 14:00:00 -0500

Hi folks. I've been involved in a fuzzing effort at CERT. One of the ways that I've been able to discover vulnerabilities is through "dumb" or mutational fuzzing. We have developed a framework for performing automated dumb fuzzing. Today we are releasing a simplified version of automated dumb fuzzing, called the Basic Fuzzing Framework (BFF).

Top-10 Top Level and Second Level Domains found in Malicious Software

Fri, 05 Mar 2010 14:10:32 -0500

Hello folks. This post comes to you courtesy of Ed Stoner and Aaron Shelmire from the Network Situational Awareness group at CERT. They write:

Recently there have been some statistics published on botnet Command & Control (C2) channels. These statistics claim that 94.58% of botnet C2 channels are under the .com top level domain (TLD). While it's impossible to accurately comment on those statistics without knowing the methodology used to arrive at them, we at CERT have been doing research concerning malicious domain names that arrives at a different result.

Plain Text Email in Outlook Express

Fri, 13 Nov 2009 09:23:00 -0500

Reading email messages in plain text seems like a reasonable thing to do to improve the security of your email client. Plain text takes less processing than HTML, which should help minimize your attack surface, right? As it turns out, Outlook Express (and its derivatives) is doing more than you think when it is configured with the "Read all messages in plain text" option enabled.

Managing IPv6 - Part 2

Tue, 06 Oct 2009 15:44:00 -0500

Past entries have addressed both securing and disabling IPv6. This entry describes ways that administrators can secure their networks and generate test cases to test those settings.

Managing IPv6 - Part 1

Wed, 19 Aug 2009 10:07:00 -0500

This entry is the first in a series about securely configuring the IPv6 protocol on selected operating systems. Although this entry focuses on how to disable IPv6, we are not recommending that everyone immediately disable IPv6. However, if critical parts of your infrastructure (firewall, IDS, etc.) do not yet fully support the IPv6 protocol, consider disabling IPv6 until those components can be upgraded.