I've been slowly learning to code in Python; mostly I've been using Learn Python the Hard Way. So, it was great to see Mike's post on Writeblocked.org with great useful Python links. Unfortunately, I missed that episode of the DFIR Online Meetup, but I'm thankful that he posted up all of his links.
Link to Python resources.
Thursday, April 25, 2013
Tuesday, April 23, 2013
Verizon Data Breach Investigations Report and Insider Threats
The 2013 Verizon Data Breach Investigations Report (DBIR) is out and there is lots of excellent information. I have only had a chance to scan some of the information and read some of the analysis and posts. One post I took note of came from DarkReading and discussed the Insider Threat numbers.
You can read the post here.
The full 2013 DBIR can be found here.
You can read the post here.
The full 2013 DBIR can be found here.
Monday, April 22, 2013
Hostgator post on an insider attack
Another day, another insider attack. This one was detailed by Hostgator. The link is to the post from NakedSecurity and their writeup of the breach - and how the insider got caught.
Here's the story.
Here's the story.
Sunday, April 21, 2013
TechNiki describes an insider attack
The more companies share about the attacks and breaches, the more the community learns. This is good for the community for two reasons. One, we can all learn from actual incidents and two, the bad guys share intelligence - we should too. So, it was great to read TechNiki's account of an insider attack. Not good because it happened; but because we learned some of the insider controls that were breached.
This is a great write up, hopefully we can all learn something.
TechNiki's write up.
This is a great write up, hopefully we can all learn something.
TechNiki's write up.
Saturday, April 20, 2013
Breaking radio silence....new job!
I know it has been a while since I have posted here; but lots has changed. I have left the DoD contracting realm and moved on to a (very) large company where I work on their national incident response team. The team is big, and my specific group gathers intelligence on the current persistent threats and implements controls to thwart those threats. Of course, we're all incident handlers at heart, so when the alerts go off, we get dirty in the incident response process.
I absolutely love it. Along with my other duties, I'll be delving into intrusion detection; something I do not have much experience doing. Because of who my employer is, I am not at liberty to discuss the specifics of what we do, the incidents we face, and any of the specific threats we are combating. A), I have a non-disclosure agreement. B) Obviously, I can't give away secrets that would aid the adversaries.
However, I plan to keep the blog alive, talk incident response, intrusion detection, the state of those niches in incident response, and other current security issues that fit that mold. Within incident response, I'm passionate about incidents dealing with the trusted insider - so there may be some posts in that vein.
Stay safe.
I absolutely love it. Along with my other duties, I'll be delving into intrusion detection; something I do not have much experience doing. Because of who my employer is, I am not at liberty to discuss the specifics of what we do, the incidents we face, and any of the specific threats we are combating. A), I have a non-disclosure agreement. B) Obviously, I can't give away secrets that would aid the adversaries.
However, I plan to keep the blog alive, talk incident response, intrusion detection, the state of those niches in incident response, and other current security issues that fit that mold. Within incident response, I'm passionate about incidents dealing with the trusted insider - so there may be some posts in that vein.
Stay safe.
Monday, March 18, 2013
I wish Google Reader wasn't going away
I'm an avid Google Reader user, I like how the interface is easy to navigate and get right to new posts. I'm not too social with my posts, I'm not "liking" them, sharing them, or starring them. Losing that functionality in the past did not bother me. So, I was not pleased to hear the other day that Google Reader is going away. I'm looking into alternatives.
Feedly, right now, is my top choice for a replacement. I especially like that there is an Android application and they are trying to stay close to the Google Reader format.
NewsBlur looks promising too. However, I was not really looking to pay for usage. However, $1 a month is not going to break the bank.
The Old Reader is another company that looks promising. Also, it is another company in the Google Reader vein.
NetVibes looks interesting, but as of yet, I do not see a mobile application yet.
I've tried Pulse, but I think I saw that you can only have 20 feeds in the feedreader portion of the application. It was visually stunning, but I have way more than 20 feeds that I follow.
There are some other readers listed in a great Gizmodo post. As I look at other applications, I'll update this post.
I saw a change.org petition that had over 100,000 signatures. I'm not sure what kind of good that will do. My wish is that Google would leave the code as is, and just make the nominal, important security patches.
FWIW, my requirements are for a simple reader, I do not need the flashy magazine look. I would prefer an Android app, so I can peruse articles in my spare time and not be tied to the computer. I do not need the ability to share/broadcast/like etc., stories. And, any application where I can port over my feeds would be a plus. Yes, I know Google has the Google Takeout service, but not every application makes perfect use of it.
Edit 3/19/2013: Two other readers I have discovered but have not researched:
Bloglines
Fever
Feedly, right now, is my top choice for a replacement. I especially like that there is an Android application and they are trying to stay close to the Google Reader format.
NewsBlur looks promising too. However, I was not really looking to pay for usage. However, $1 a month is not going to break the bank.
The Old Reader is another company that looks promising. Also, it is another company in the Google Reader vein.
NetVibes looks interesting, but as of yet, I do not see a mobile application yet.
I've tried Pulse, but I think I saw that you can only have 20 feeds in the feedreader portion of the application. It was visually stunning, but I have way more than 20 feeds that I follow.
There are some other readers listed in a great Gizmodo post. As I look at other applications, I'll update this post.
I saw a change.org petition that had over 100,000 signatures. I'm not sure what kind of good that will do. My wish is that Google would leave the code as is, and just make the nominal, important security patches.
FWIW, my requirements are for a simple reader, I do not need the flashy magazine look. I would prefer an Android app, so I can peruse articles in my spare time and not be tied to the computer. I do not need the ability to share/broadcast/like etc., stories. And, any application where I can port over my feeds would be a plus. Yes, I know Google has the Google Takeout service, but not every application makes perfect use of it.
Edit 3/19/2013: Two other readers I have discovered but have not researched:
Bloglines
Fever
Wednesday, March 13, 2013
New (In)Secure magazine out
I just received an email today that the new edition (number 37) of (In)Secure magazine is out.
You can get it here.
You can get it here.
Tuesday, March 5, 2013
Windows 8 STIG released
The other day, DISA released a Windows 8 STIG. At the present time, the STIG appears to be entirely manual in process as I do not yet see a SCAP benchmark for it.
So far, in the field, I have not come across any Windows 8 systems. When I do, I will post my reactions to running an audit against the STIG.
So far, in the field, I have not come across any Windows 8 systems. When I do, I will post my reactions to running an audit against the STIG.
Thursday, January 24, 2013
DumpEventLog is a great tool to parse Windows event logs
We have an instant messaging server in the office which helps with communication with those employees that telecomute. The server is running OpenFire (I think) and the clients are using Pidgin to connect and instant message. I'm not much of an administrator, so I can not comment on how good the tools actually are. But, as a user, I find great value in being able to reach out to anyone and have a quick conversation without having to wait for email or the like.
That said, our Pidgin server has been going down with some regularity; roughly once a month, but sometimes a bit more. And when it goes down, it takes forever to come back up. The usefulness as a tool has been diminishing.
As an incident response guy, one of the first things I wanted to see was the logs. But, I did not know a way that I would be able to read the logs short of logging in to the server...and I did not have credentials (I'm not an admin.) I looked for, and found, this script, DumpEvenLogs.vbs. The script was suitable for me to give to an admin to run and provide the results back to me. And, there were a couple of canned scripts to look at some of the low hanging fruit (failed logons, user accounts created, abnormal shutdowns, etc.) The data returned to me was easy enough to read, and in a format that I could look at whatever criteria I wanted. Ultimately, I filtered the data on date, and was able to pin down that the machine was hanging upon reboots after applying patches. Rather benign. But, having this tool helped solve the problem. As for the server issue.....that hasn't been fixed, but at least we know when to expect it to go down again next.
That said, our Pidgin server has been going down with some regularity; roughly once a month, but sometimes a bit more. And when it goes down, it takes forever to come back up. The usefulness as a tool has been diminishing.
As an incident response guy, one of the first things I wanted to see was the logs. But, I did not know a way that I would be able to read the logs short of logging in to the server...and I did not have credentials (I'm not an admin.) I looked for, and found, this script, DumpEvenLogs.vbs. The script was suitable for me to give to an admin to run and provide the results back to me. And, there were a couple of canned scripts to look at some of the low hanging fruit (failed logons, user accounts created, abnormal shutdowns, etc.) The data returned to me was easy enough to read, and in a format that I could look at whatever criteria I wanted. Ultimately, I filtered the data on date, and was able to pin down that the machine was hanging upon reboots after applying patches. Rather benign. But, having this tool helped solve the problem. As for the server issue.....that hasn't been fixed, but at least we know when to expect it to go down again next.
Tuesday, January 22, 2013
ESXi, Google Chrome, and Exchange 2010 STIGs released
I happened to be browsing DISA's site when I saw that the following STIGs have been released:
This is great news in regards to ESXi, as many times we run across ESXi in the field. While the guidance is to use ESX, most entities migrate to ESXi for cost. And the guidance does not translate to ESXi, it's just a different animal. So, I'm glad DISA has released ESXi guidance. Further, adding a benchmark for Google Chrome will make auditing those systems with Chrome installed much easier.
- ESXi 5 (Draft)
- Google Chrome (both a benchmark and a STIG)
- Exchange 2010
This is great news in regards to ESXi, as many times we run across ESXi in the field. While the guidance is to use ESX, most entities migrate to ESXi for cost. And the guidance does not translate to ESXi, it's just a different animal. So, I'm glad DISA has released ESXi guidance. Further, adding a benchmark for Google Chrome will make auditing those systems with Chrome installed much easier.
Subscribe to:
Posts (Atom)
