Wednesday, December 26, 2007

A new wave of Storm Worm

It looks like it is back, at least another wave.
Analysis from SANS.
And from the Digital Intelligence and Strategic Operations Group: 1 + 2

New Year's variants from SANS.

Monday, December 24, 2007

A little pruning

I removed some of my links; mostly blogs I read through Google Reader. The links I've left are blogs or sites I read that either I can't link to through Google Reader or are more of a resource.

Merry Christmas

8And there were in the same country shepherds abiding in the field, keeping watch over their flock by night.

9And, lo, the angel of the Lord came upon them, and the glory of the Lord shone round about them: and they were sore afraid.

10And the angel said unto them, Fear not: for, behold, I bring you good tidings of great joy, which shall be to all people.

11For unto you is born this day in the city of David a Saviour, which is Christ the Lord.

12And this shall be a sign unto you; Ye shall find the babe wrapped in swaddling clothes, lying in a manger.

13And suddenly there was with the angel a multitude of the heavenly host praising God, and saying,

14Glory to God in the highest, and on earth peace, good will toward men.

15And it came to pass, as the angels were gone away from them into heaven, the shepherds said one to another, Let us now go even unto Bethlehem, and see this thing which is come to pass, which the Lord hath made known unto us.

16And they came with haste, and found Mary, and Joseph, and the babe lying in a manger.

17And when they had seen it, they made known abroad the saying which was told them concerning this child.

18And all they that heard it wondered at those things which were told them by the shepherds.

19But Mary kept all these things, and pondered them in her heart.

20And the shepherds returned, glorifying and praising God for all the things that they had heard and seen, as it was told unto them.

Luke 2:8-20, King James Version

And Linus.

Sunday, December 23, 2007

Looking for a hardware write-blocker

I was browsing a page on NIST because I'm looking for a good hardware write-blocker. The page had links to their benchmarks on a bunch of them, some from Digital Intelligence, MyKey, and Tableau (amongst others.) Does anyone have any recommendations? What do you use the most and why? I've heard about Digital Intelligence, Tableau, and MyKey, but I haven't used any of them.

Friday, December 21, 2007

Flash Player Updates

I read a great blog piece on the update of Flash. What I thought best was a link to Adobe's site where they tell what version you are using and what version to update to.

Thursday, December 20, 2007

Motorola Moto Q

I can admit that I'm a gadget guy. So, we just updated our cellphones. My wife picked out the enV and I'm trying the Moto Q. My last phone was a Motorola E815, a flip phone. So, it's taking a little getting used to the new phone. I don't have the full data plan, which probably diminishes the phone somewhat; but I'm liking it. Texting is certainly easier. I'll post some more thoughts in a couple of days.

Wednesday, December 19, 2007

Patch Tuesday Patches

I finished reading SANS writeup of the patches that MS released on Patch Tuesday. I noticed that there were three patches that were labeled "Critical." As I am not the system/network admin, I passed the reviews on to my co-worker; who is the admin. His response was "Maybe we'll get to them. The AV signatures are up-to-date and the spam filter is up-to-date." Plus, he added, the firewall has been running without a problem. (Not that he would actually know, the logs only get reviewed when there is an incident.)

We use Microsoft's patch server in house (I forget the name of it.) That is, administratively, the admin decides what patches to get from Microsoft, the server fetches the patches, then pushes the patches out to the client machines. How many times is this done a year? Maybe twice. Maybe.

I believe we should be doing this EVERY month. While we might have bolstered defenses in anti-virus, spam detection and firewall rules, what happens if the threat comes from INSIDE the perimeter? I know we have users that click on links in spam email. What if one of those links downloads something malicious? Once it is inside, we could be done.

This same admin refuses to patch the servers, using basically the same logic. "The servers are inside the DMZ, nothing should get to them."

I'm usually the first of the IT guys in the building in the morning. I walk past the server room, just to make sure the lights are on all of the server. I know there's a day coming when they won't.

Any thoughts on how to "persuade" the admin to patch more frequently?

Thursday, December 6, 2007

Keyloggers: Hardware or Software?

I've been looking into acquiring a keylogger of some sort. It will help when I'm employed to key tabs on a suspect. I've done a lot of reading on the subject and I have some questions. I realize that there are hardware keyloggers (keyboard connectors,) software, and keyloggers manufactured into the keyboard. A logger manufactured into a keyboard is not in the equation for a couple of reasons. It would be obvious to a user if they are using a different keyboard than they are accustomed to using. Also, I understand they are expensive. That leaves me with two choices: a hardware solution, and a software solution.

I wouldn't mind a hardware solution. Most of the time, where the keyboard is plugged in is out of the way, and mostly hidden. However, I've seen that there space considerations going this route. I'm not sure if I'll be able to check the computer on a regular basis, say nightly.

A software solution would be ideal, something that could be covertly installed. However, I need something that won't show up in task manager, won't trip anti-virus or anti-spyware software, and obviously won't show up in the systray. Is there a good software package for this? Does one exist? The last thing I need is to tip off the suspect.

So, my question is: What do you use, and what do you like? Are there any "certified" for incident response? Does the government or law enforcement have anything (commercially available) that comes recommended?

Friday, November 23, 2007

Happy Thanksgiving - sorry there haven't been updates

I'm trying to go independent. I've gotten an office, I'm starting to incorporate, and I've been busy with the chores of opening my own business. It is entirely rewarding and exciting, yet scary and never-wracking at the same time. I'll try to keep the site updated with my progress.

I ran across this link the other day, I think it was just before Thanksgiving.

Like most security warriors, you get asked to look at the computers of relatives. SANS asked what we bring when we're visiting relatives then compiled the results.

Enjoy, and enjoy the holidays.

Monday, October 22, 2007

Email addresses and E-Discovery

This has been bugging me for a while. And I'm just now going to write about it. And only because a user inadvertently brought it up.

While I was in the lunchroom, a user came in to eat; and brought her Blackberry. (We don't have a policy on Blackberrys...grrrr...a post for another day.) Anyway, one of the sales reps had emailed her back a one-word answer. "Yes." She ranted that she was sick of this rep replying one-word answers to her questions; and replying from his personal mail. She sent the original question to his corporate email address.

Back in November, the IT department was successful in changing the policy on forwarding all corporate email to personal email addresses. 90% of the users comply with this policy. First of all, management did not like the fact that official company business was being conducted with an "aol" or "hotmail" address. I didn't like it because we have no record of what is really going on. Suppose a salesrep makes a deal with a dealer giving them X% off of a future order. If the company did not comply (for whatever reason) how would we know. We can't grab aol or hotmail email. Should we get sued, we could never produce that email.

Unfortunately, it is not just salesreps that are doing this. There are some in upper management who use their personal email addresses.

So, how do you enforce this policy? I would love to hear some suggestions.

Tuesday, October 2, 2007

Lesson Learned: Always mention when you are going to analyze a machine

It's been an interesting week. People have been leaving the company in record amounts.

The latest occurred yesterday. The manager went to his boss, gave his resignation, said he was going for coffee and would be right back. He hasn't returned yet. At least as far as I've been told. My co-worker disabled the network account and email. He went down to the machine and uploaded to the network any files that were on the C: drive, thereby not being backed up.

We don't have a policy on what to do when a person leaves the company, willfully or not. I've tried. HR doesn't want the extra work.

Later in the afternoon, I figured I would take a look at the ex-employee's computer; looking for deleted files, pictures that shouldn't be, or anything else that shouldn't be on the company computer. So, later in the afternoon, having a few minutes to spare, I head down to the ex-employee's computer; wip out Helix, and start analyzing. I really didn't expect to find anything. I was sidetracked on the way, so I didn't mention to anyone where I was going.

I went to look at IE history, but accidentally hit the button for Nirsoft's Protected Storage Pass View. Well, the Trend Micro client installed on the machine picked it up as "hackerware." A note would be sent to the administrators. About ten minutes later, I there's a knock at the office door, and there standing outside is my co-worker and my boss. I quickly explained what I was doing. They were there because they thought the manager who left had come back and working maliciously on the computer. All was soon well. Important lesson learned, though. Let someone know what you are doing so as not to falsely set off alarms.

Friday, September 14, 2007


There is no update.

My manager told me that they found out who was bringing the laptop in from home and connecting to our network. My manager mentioned that they've "talked" to the individual and are "assured" it will not happen again.

Personally, I think they don't want to discipline/fire a second employee in as many days.

And I think this offense is more egregious.


Tuesday, September 11, 2007

My first run in with CP

At 8:30 Monday morning, the Director of HR called me to her office. I thought, "I haven't been in long enough to get in trouble." Little did I know what would be ahead of me. I knew I had a full plate of fires to put out; what was coming would dwarf everything for the day.

I reached her office and was told to shut the door. It seems there was an incident over the weekend. A female employee had logged into a computer and found "pictures inappropriate for work." There was probably more to the story, but I wasn't privy to it. I was asked to prove or disprove the accusation; and, if it was there find out how and when.

I took my laptop and retired to a smaller conference room, I really didn't want to do this from my cube. After shutting the door, I mapped a drive to the suspect machine, surfed to the My Pictures folder. Sure enough, there were pictures there. So, without opening anything, I copied the entire directory to a cdrom. Upon viewing the cdrom I was quickly able to verify that there were images inappropriate for work.

Now for the how and when. The when was pretty easy, as all the dates were the same. Could they be faked? Sure, but I didn't think so in this case. Next, I opened up regedit and connected to the suspect computer's registry. I looked in the currentcontrolset key, and found an iPod and Creative MuVo that were listed. When I found the Dos:E\ key, I pieced together that it appeared that the iPod was last listed as the E:\. However, the dates didn't match up. I knew the only way we would prove definitively is to get a hold of the iPod.

Before I started to write up my findings, the Director of HR met me in the conference room where I was working. My co-worker had just joined me and we were going over some other leads we wanted to chase down. The Director asked to see the pictures, mostly to see if there were other employees visible. Talk about awkward. But, I guess I had better get used to it. The first couple of pictures were definitely something taken from websites. Another bunch could have gone either way. But, while viewing the last couple, the Director asked me how old the girl was. Uh-oh.

So, we next formulated the steps to take. My part was easy, I was going to provide the facts; as best I knew them, and what I suspected, in order to fill in the holes. But, I tried to impress upon her that all the ducks had to be in a row.

After lunch, I got called into my manager's office, to find the President and the Director of HR. They asked for the cdrom. Calls had already been made to the company attorney. My manager asked me and my co-worker to go through mail and see if the pictures had been mailed anywhere; both in the company and out. Well, we found one outgoing mail message that was pretty incriminating. It was to an external address. My co-worker noticed that the email address was familiar. What?

It turns out the email address turned up in the firewall logs where we logged failed connection attempts to IM. Right after the IM failures, there was another email address with failures. So, we looked up the IP that the failures were coming from, and son of a gun if it wasn't something in the DHCP scope. Uh-Oh. A look at the the DHCP server showed a lease to a computer that we didn't name.

We've gone from proving a simple case of inappropriate images on the computer, to using an unapproved computer on our network. A quick scan of the firewall logs showed that this rogue computer had been on and off the network for about a month; usually third shift, and usually on the weekends. The sites they were visiting were typically web sites that allow you to IM when the firewall blocks those ports. We've pretty much proved that someone is trying to deliberately circumvent the access controls.

We had a quick meeting with upper management. We gave our statements and left. While chasing some last leads we see the accused go to HR. Of course he denied it. When pressed, he finally admitted most of what we knew. He tried to give what he thought was a valid explanation; but it wouldn't hold up in the face of the evidence we had.

Sit down now.......they didn't fire him on the spot. They let him go back to work until they had heard from the attorney. My co-worker and I almost fell over. I ran to my cube, and checked my mapped drive...sure enough, all the evidence was just deleted from his machine. (I was't too worried; worse case, we would have undeleted it.) Here's the good part, we set up the My Documents folder to redirect to the network. Should we need to, it's a simple restore.

Fast forward to today. The accused was fired first thing in the morning. I still haven't heard what the attorney has done. I wouldn't be surprised if the company gets subpoenaed for the data so that the authorities can go after him. As for the rogue laptop, my manager supposedly knows who it is, but nothing has been done. (Personally, I think this is a bigger offense, and has more risk. But that's just me.)

I went home wiped out. I hope the company doesn't screw this up, but I'm not holding my breath.

The good news is I got my tix for Bruce's new tour.

Thursday, September 6, 2007

You can't make this stuff up...

I don't know what made me look up at the ceiling in the server room. But I couldn't believe what I saw. Knowing the place that I work at....they are active.

Friday, August 31, 2007

If, Not When...

A little while ago, the network sysadmin started thinking more about security. I think the incident with the Storm Worm got him a little worried. He really took to the firewall and started locking it down. One night, I performed a port scan of our firewall from home. I was a little surprised at what came back. One of the open ports was FTP, 21. I suggested we shut down the FTP server. It doesn't get used. Well, it does, but once in a blue moon. We don't allow attachments larger than 10 megs through the firewall. So, if a vendor needs to get us a file, we create a temporary user on the firewall, and let them upload it. The reverse happens when one of our users needs to get a big file to a vendor. Since this happens maybe 5-6 times a year, I suggested we turn off FTP, and start it as needed.
The decision was "no."
The other day, the network admin was scanning the ftp logs. The FTP server is getting attacked brutally. Each log has thousands upon thousands of brute-force login attempts.
I still say we should turn off FTP, but the answer is still "no."

Tuesday, August 21, 2007

Better Late Than Never

[Given the theme here.....]


'Magic,' Bruce Springsteen's new studio recording and his first with the E Street Band in five years, is set for release by Columbia Records on October 2, 2007. Produced and mixed by Brendan O'Brien, the album features eleven new Springsteen songs and was recorded at Southern Tracks Recording Studio in Atlanta, GA.

'Magic' Song Titles:

1. Radio Nowhere
2. You'll Be Comin' Down
3. Livin' in the Future
4. Your Own Worst Enemy
5. Gypsy Biker
6. Girls in Their Summer Clothes
7. I'll Work for Your Love
8. Magic
9. Last to Die
10. Long Walk Home
11. Devil's Arcade

'Magic' is the first new studio album by Bruce Springsteen and the E Street Band since 2002's GRAMMY Award-winning, multi-platinum, number one album 'The Rising' (Columbia Records), which was also produced by O'Brien.

Bruce Springsteen's longtime manager Jon Landau said, "'Magic' is a high energy rock CD. It's light on its feet, incredibly well played by Bruce and the members of the E Street Band, and, as always, has plenty to say. It's also immensely entertaining. 'Magic' is the third collaboration between Bruce and Brendan O'Brien and is a culmination of their very productive creative relationship."

Tuesday, August 14, 2007

Firewall log: LDAP.Request.DoS

We keep seeing this in our firewall logs. The packets are going from our DMZ server to our primary domain controller. What I'm not sure is if this is an active attack, or, is there something mis-configured on the DMZ server that triggers a false positive?
From: FortiLog-100A(
Trigger Name: Attack Log Warning
Log type: attack log
Alert Severity: High
Triggered Threshold: More than 1 event occured in the last 0.5 hour.
Source Device: Local FortiAnalyzer[Hostname:FortiLog-100A IP:]
Last Raw Message:
itime=1187120433 date=2007-08-14 time=15:42:40 devname=Fortigate-200A device_id=FG200A2105401280 log_id=0419070000 type=ips subtype=signature pri=alert vd=root serial=1945370 attack_id=14770 severity=critical src= dst= src_port=55845 dst_port=389 src_int=dmz1 dst_int=internal status=detected proto=6 service=389/tcp user=N/A group=N/A ref="" msg="operating_system: MS.Windows.Active.Directory.LDAP.Request.DoS

We get quite a few of these. Because of the frequency, I seem to think that they are malicious in nature. The knowledge base says the attack is against a Windows 2000 vulnerability. Our servers are Windows 2003. If anyone has seen this and has any insight, I would love to hear from you.

Friday, August 10, 2007


I've updated my links section to add a couple of links. The ISC should be read every day in order to get a good idea of what is current.

Plus, if you don't read Chief's column at "A Day In The Life Of An Information Security Investigator," you should. Absolutely great reading. He's got two great columns up; a picture dump, and a write up of Black Hat and Defcon. I couldn't attend. I wish I could have. Chief's write ups at least let me get a feeling for it.

Pictures From Black Hat and DefCon 2007, 1

Pictures From Black Hat and DefCon 2007, 2

Some Things I've Learned Attending Black Hat & DefCon

Saturday, August 4, 2007

Wireless hacking

I'm still learning. I have a long way to go. I was reading another blog on the activities of Black Hat, out in Vegas. This attack was discussed:

It almost makes me not want to use a laptop with public wireless.

Wednesday, July 25, 2007

Reason Number 1 why we need a stronger security policy

As I finished my last post, I remembered a minor, yet aggravating incident that occurred today.

The manager of international customer service has one employee. That employee is responsible for handling international orders, quotes, and the like. That employee happens to be on a two week vacation. So, around lunchtime, the manager comes to my desk to ask me a question; and I could tell she wasn't too comfortable. Her boss, the VP of Sales and Marketing was wondering how the bulk of the international orders were going to be entered if the person doing it was not here. A fine question. It was suggested that the manager just log into the employee's machine, read the mail and handle the order.

So, she was at my desk to find out how she could log into her employee's machine. I glared at her, and she basically knew the answer. I don't know everyone's password; and there's no way to find the password. Could I just reset the password, yes. Would I. No. I calmly explained that the "policy" is that I can't allow access to the employees computer. The manager calmly explained that she had been to HR's office and that the Director of HR had given permission. The manager asked if it was in the policy document (it's not.) The HR director responded that it was ok, AND that the Comptroller knew the passwords to all of the computers in the finance office (a separate office.) She also mentioned that the VP wanted orders entered this week and wanted to know what it would take. I explained that anything negative that happened would have to be her responsibility.

In the end, the VP of Sales and Marketing sent me a note, basically ordering me to create a new password and reset it when the vacationing employee returns.

I would have jumped out a window, but being on the first floor I figured I would just really hurt myself.

Security policy? Yeah right. A post for another day.

A Monday Incident

It has to happen on a Monday.

And what a Monday it was.

I woke up and it was pouring out. And I mean pouring. It was raining so hard visibility had dropped to a hundred yards, at best. Driving to work, I passed three separate accidents; cars that had spun off the roads. At least they were getting assistance. This was definitely a day to stay home. The road that the plant is on was flooded, with a couple of inches of water. How fitting.

I get in a good half hour before the network administrator gets in which gives me plenty of time to put out the minor brush fires. It was about 20 minutes after he got in that he called me to his office and showed me an email he had received from our ISP. They (the ISP) were getting ready to dump our internet access (a T1) because of complaints due to alleged abuse coming from our public IP. We had about a day to figure it out.

Off to the firewall we went to see what was up. There did not appear to be anything fishy, at least from the firewall. Remember, the network admin is great at "admining" but security is an afterthought for him. I can only "suggest" policy and procedures. At about this time, the director of HR walks into the office. She proclaims that her laptop has crawled to a stop and she is unable to get any work done. We allay her fears and get back to work. I ask the network admin to check the logs for her IP. Lo and behold, we've found our problem. Connections. To and from her laptop. Hundreds of them. Thousands of them. Mail from her machine bypassing the DMZ and the mail server. P2P connections. And a whole bunch of things I didn't have time to ID. Whoa.

A little research turned up that the malicious code was a variant of the Storm Worm; I think Trend finally ID'd it as nuwar.IJ. I explain calmly to the HR director that we think we found the reason for her laptop being slow and I would need to take her laptop off the network, and remove it to the data center in order to check it out. So, we grab the laptop. The worm went undetected because it killed the AV programs first. Yea for Helix.....Rootkitrevealer proved what we thought. And we used Trend's RootkitBuster to clean the machine. Now, thinking of security, I suggested wiping and reloading. However, the network admin figured we had cleaned the machine sufficiently and we would give the machine back after a full virus scan.

When I gave the machine back I asked if there was anything she might have done to have contracted a virus or worm. She thought it might have occurred when she went to update a printer driver (why she had to update a printer driver is still a mystery.) After more pressing, she finally admitted to opening an email with a subject of "you have received a bluemountain greeting from a co-worker." She said she clicked the link too.

I'm still trying to tighten the firewall logs....p2p connections should not be coming in or going out of here. Period. That should have been our first red flag. I'm sure there's more to do; but I think the network admin is just glad our network access is not getting yanked.

Wednesday, July 18, 2007

Hello World!

All programmers, when learning a new language, usually start with a "Hello World" program. It's a good way to actually use the new code to do something useful with the code while learning. So, I'm using this post as a "Hello World" program to introduce my blog. There are many who have come before me, and I've learned a ton from those people. Hopefully, as I immerse myself into the field, I'll be able to aid those who are starting after me; or I hope to give back to the community in some small way.

I started out with computers in grammar school, on a TRS-80. In college, I majored in business; though the concentration was in Management [of] Information Systems. I would have received a minor in Comp. Sci., though I got mono in my senior year of college, and had to withdraw from a class. However, it was in college that I took a class where I read The Cuckoo's Egg by Cliff Stoll. I knew at that time that I wanted to "catch bad guys using computers." After graduating college, I started programming for a large brokerage house; where I programmed mainframe computers. I mostly worked with much older co-workers, and was the resident "pc-guy." When the company moved offices they moved from dumb terminals to desktop pcs. At this time, outside of work, I actually attempted to start an ISP. I've looked for my old Slackware cds, I can't find them, but I know they had a low version number. Ultimately, I was unsuccessful starting the business. And it was a probably a pretty good thing. The market exploded for internet access and margins became razor thin. But it was great experience.

Since then, I've mostly worked for large companies as a developer. It wasn't until I got laid off that I returned to thinking about getting back into the security business. I was looking for jobs and I saw a job posting with the FBI in their Forensics unit. It was close to home, it was security related, and I would be able to "catch bad guys" and use computers. I looked into what it would take, and I realized I was not qualified. Even with some security qualifications. So, I didn't apply.

Now, I'm thinking of leaving the company I work for. I've just recently earned my A+, and I'm working on Security+. After that, I'm thinking of going after my SANS GCFA, then after that CCE.

So, in a nutshell, that's where I'm coming from, and where I hope to go. I'm always looking for insight, comments, and thoughts from the people who have been there before me.

"Hey, gunner man, that's quicksand, that's quicksand that ain't mud
Have you thrown your senses to the war or did you lose them in the flood?"

Here's to hoping I don't get lost.