Wednesday, December 26, 2007

A new wave of Storm Worm

It looks like it is back, at least another wave.
Analysis from SANS.
And from the Digital Intelligence and Strategic Operations Group: 1 + 2

New Year's variants from SANS.

Monday, December 24, 2007

A little pruning

I removed some of my links; mostly blogs I read through Google Reader. The links I've left are blogs or sites I read that either I can't link to through Google Reader or are more of a resource.

Merry Christmas

8And there were in the same country shepherds abiding in the field, keeping watch over their flock by night.

9And, lo, the angel of the Lord came upon them, and the glory of the Lord shone round about them: and they were sore afraid.

10And the angel said unto them, Fear not: for, behold, I bring you good tidings of great joy, which shall be to all people.

11For unto you is born this day in the city of David a Saviour, which is Christ the Lord.

12And this shall be a sign unto you; Ye shall find the babe wrapped in swaddling clothes, lying in a manger.

13And suddenly there was with the angel a multitude of the heavenly host praising God, and saying,

14Glory to God in the highest, and on earth peace, good will toward men.

15And it came to pass, as the angels were gone away from them into heaven, the shepherds said one to another, Let us now go even unto Bethlehem, and see this thing which is come to pass, which the Lord hath made known unto us.

16And they came with haste, and found Mary, and Joseph, and the babe lying in a manger.

17And when they had seen it, they made known abroad the saying which was told them concerning this child.

18And all they that heard it wondered at those things which were told them by the shepherds.

19But Mary kept all these things, and pondered them in her heart.

20And the shepherds returned, glorifying and praising God for all the things that they had heard and seen, as it was told unto them.

Luke 2:8-20, King James Version

And Linus.

Sunday, December 23, 2007

Looking for a hardware write-blocker

I was browsing a page on NIST because I'm looking for a good hardware write-blocker. The page had links to their benchmarks on a bunch of them, some from Digital Intelligence, MyKey, and Tableau (amongst others.) Does anyone have any recommendations? What do you use the most and why? I've heard about Digital Intelligence, Tableau, and MyKey, but I haven't used any of them.

Friday, December 21, 2007

Flash Player Updates

I read a great blog piece on the update of Flash. What I thought best was a link to Adobe's site where they tell what version you are using and what version to update to.

Thursday, December 20, 2007

Motorola Moto Q

I can admit that I'm a gadget guy. So, we just updated our cellphones. My wife picked out the enV and I'm trying the Moto Q. My last phone was a Motorola E815, a flip phone. So, it's taking a little getting used to the new phone. I don't have the full data plan, which probably diminishes the phone somewhat; but I'm liking it. Texting is certainly easier. I'll post some more thoughts in a couple of days.

Wednesday, December 19, 2007

Patch Tuesday Patches

I finished reading SANS writeup of the patches that MS released on Patch Tuesday. I noticed that there were three patches that were labeled "Critical." As I am not the system/network admin, I passed the reviews on to my co-worker; who is the admin. His response was "Maybe we'll get to them. The AV signatures are up-to-date and the spam filter is up-to-date." Plus, he added, the firewall has been running without a problem. (Not that he would actually know, the logs only get reviewed when there is an incident.)

We use Microsoft's patch server in house (I forget the name of it.) That is, administratively, the admin decides what patches to get from Microsoft, the server fetches the patches, then pushes the patches out to the client machines. How many times is this done a year? Maybe twice. Maybe.

I believe we should be doing this EVERY month. While we might have bolstered defenses in anti-virus, spam detection and firewall rules, what happens if the threat comes from INSIDE the perimeter? I know we have users that click on links in spam email. What if one of those links downloads something malicious? Once it is inside, we could be done.

This same admin refuses to patch the servers, using basically the same logic. "The servers are inside the DMZ, nothing should get to them."

I'm usually the first of the IT guys in the building in the morning. I walk past the server room, just to make sure the lights are on all of the server. I know there's a day coming when they won't.

Any thoughts on how to "persuade" the admin to patch more frequently?

Thursday, December 6, 2007

Keyloggers: Hardware or Software?

I've been looking into acquiring a keylogger of some sort. It will help when I'm employed to key tabs on a suspect. I've done a lot of reading on the subject and I have some questions. I realize that there are hardware keyloggers (keyboard connectors,) software, and keyloggers manufactured into the keyboard. A logger manufactured into a keyboard is not in the equation for a couple of reasons. It would be obvious to a user if they are using a different keyboard than they are accustomed to using. Also, I understand they are expensive. That leaves me with two choices: a hardware solution, and a software solution.

I wouldn't mind a hardware solution. Most of the time, where the keyboard is plugged in is out of the way, and mostly hidden. However, I've seen that there space considerations going this route. I'm not sure if I'll be able to check the computer on a regular basis, say nightly.

A software solution would be ideal, something that could be covertly installed. However, I need something that won't show up in task manager, won't trip anti-virus or anti-spyware software, and obviously won't show up in the systray. Is there a good software package for this? Does one exist? The last thing I need is to tip off the suspect.

So, my question is: What do you use, and what do you like? Are there any "certified" for incident response? Does the government or law enforcement have anything (commercially available) that comes recommended?