Our friend Adam Muntner recently blogged about an undocumented (probably unplanned) feature of Googls's Sitemap XML protocol. Tuens out it makes finiding unpublished content on webservers even easier! In this blog entry Adam expalains how it works.

"While playing with the Google Webmaster tools, I came across the “Sitemap” XML protocol which is used to inform search engines about pages on your website that are available for crawling... Far more interesting - you can find pages in the sitemap.xml which would not be indexed if it weren’t for the Sitemap protocol."

I wonder if Governor Schwarzenegger is worried!

eWeek are reporting that HD Moore has released a Malware Search Engine that can find live malware binaries and source through Gogle. From the article: "The new Malware Search project provides a Web interface that allows anyone to enter the name of a known virus or Trojan and find Google results for Web sites hosting malicious executables." According to a Slashdot post: "The tool then searches for actual malware signatures and uses the signature output from ClamAV to find the name of the malware. This is then used in conjunction with a PE signature matching method to form a Google query. Afterwards the malware can then be downloaded directly from Google."

From Slashdot:

"The rootkit wars have started to escalate with a rootkit named Rustock which is able to remain hidden from all the popular anti-rootkit tools. It uses some new techniques including not only putting itself in a ADS (NTFS alternate data stream) which isn't seen by normal file system enumeration tools, but even blocks ADS aware tools from seeing the stream. Works in Vista, too! Analysis in both Symantec and F-Secure blogs."

The Seattle Times are running a priceless story about the FBI:

A government consultant, using computer programs easily found on the Internet, managed to crack the FBI's classified computer system and gain the passwords of 38,000 employees, including that of FBI Director Robert Mueller.

The consultant used a program downloaded from the Internet to extract "hashes" — user names, encrypted passwords and other information — from the FBI's database. Then he used another program to crack the passwords by using dictionary word comparisons, lists of common passwords and character substitutions to figure out the plain text passwords.

From the BBC (link to article):
US forces in Afghanistan are checking reports that stolen computer hardware containing military secrets is being sold at a market beside a big US base.

Shopkeepers at a market next to Bagram base, outside Kabul, have been selling memory drives stolen from the facility, the Los Angeles Times newspaper says.

The disks reportedly contain personal details about US soldiers, military defences and lists of enemy targets.

Hard Drive Encryption anyone?

InformationWeek are reporting that Web Application Hacks are on the rise. Statistics are drawn from the Web Application Security Consortium. The numbers look a little low but I haven't checked into their counting methodology.

I would like to put together our own version of War Gamez/CTF. The basic premise is that we setup a 'sandbox' environment with several different flavors of servers and compete to see who can keep their stuff running while cracking the other teams' stuff. Structure isn't very formal right now - looking for suggestions on ground rules, format, etc. Please post to this forum to contribute.

Maybe we can run some different IDS/IPS systems during the festivities and evaluate their performance afterwards.

The main goal is to share and learn - hope you can contribute to the development and participate! Join the mailing List!