Wednesday, November 26, 2008

Upgrade to Hardy....lost Kismet

Well, I've found a casualty since upgrading the laptop to Hardy (8.04.) I can't get Kismet to work. I'm getting a fatal error, and Kismet dies; so I know what I'm doing while the turkey cooks tomorrow. When I figure it out, I'll post up what I find out.

The Next Trip

I'm off to San Antonio next week, first thing Monday morning. I've never been to Texas, so this should be fun. It's a rather large assignment, and there are only two of us on the team. I'm a little surprised about that. I'm not happy about having to do all of the documentation, but after going through the process from the last trip, I've learned a lot. I just went through this prior post to make sure I did not forget anything this time. And, I'm as prepared as I think I can be.

I'm hoping for some good weather, and a good client, so that all runs smoothly.

Monday, November 24, 2008

Thanksgiving Incident Response

This is one of my favorite links that the ISC has published. It's that time of year again, and many of us security warriors will be visiting family and friends over the holiday. Of course, we'll get asked by many of these people to "just take a look at this small problem." You know how it goes.

The post mentions the good tools to that can be burned to a disc or copied to a usb drive such that you can bring it with you. The article was published last year (2007) so it could probably be updated, but it's a great foundation.

Have a great holiday. And hopefully you won't be staring at a monitor of a problematic machine for much of the day.

The DoD's new USB policy

This news was rampant on Friday, but I'm just getting around to posting a thought about it. If you did not hear, the DoD is prohibiting USB drives (connections?) on all DoD machines. Apparently, they are fighting a worm/malware issues that may have been exasperated by the auto-run feature of many usb drives. I agree, it's probably NOT a bad policy to have. When I was working for a company, I wish I could have enacted policy like that. It would have cut down on the headaches.

However, my question is, can't the anti-virus software be configured to scan any USB connection to the computer? Wouldn't that help in the fight? I'm pretty certain that all DoD machines are required to have AV software installed and running. Wouldn't that help mitigate the risk.

Friday, November 21, 2008

Wednesday, November 19, 2008

New Album!!!


Here's the official press release.

Incident Response Checklists

Lenny, at the SANS Internet Storm Center put together some really good cheat sheets. I'm linking them up here so I don't forget where they are. Also, from his site, he links to other cheat sheets. I printed off two sheets on a heavier card stock when I took the GCIH class, and they are firmly tucked away in the jump bag.

Without further ado:
Lenny's sheets - and there are links on the left to print them out
SANS Windows cheat sheet
SANS Linux cheat sheet
Checking Windows for Signs of a Compromise
Checking Linux for Signs of a Compromise

As I mentioned before, I have the SANS' sheets printed on card stock. They work perfectly. If there are other sheets that are worth linking to, let me know. I know SANS is putting together more cheat sheets and they have a call out for ideas.

Sunday, November 16, 2008

Helix v2 - and the new Bruce tune..."Working On A Dream"

I'm sure it is WAY old news, but I just discovered that there is a new version of Helix out there. First, on Friday, my office-mate asked me about computer forensics. Now, I'm not a forensics guru by any stretch of the imagination. However, I mentioned that I had used Helix in both IR and a CF situations. Later, we were trying to find rpm based live CD distributions. I found a list here. However, I did not see Helix listed. So, I quickly surfed over to Heilix's site and discovered that there is a new version out. I have something to play with. And to answer my question, Helix is based on Ubuntu.

I heard the new studio version of "Working On A Dream" while watching Sunday Night Football. While I like the new tune, I was disappointed that they only played about 15 seconds worth of the song. NBC made it sound like we were getting the whole song prior to half time. And yes, I've heard the acoustic version as performed at he Obama rally.

Tuesday, November 11, 2008

AVG antivirus reporting a false positive

I recommend AVG Anti-virus to many of my clients due to its ease of use and the fact that it does not cost. As such, I thought it would be prudent to echo the news that was just reported. AVG is announcing that it's latest virus signature database erroneously tagged C:\\Windows\System32\user32.dll as suspect. The file is not suspect, and should not be removed.

Just a heads up.

Wednesday, November 5, 2008

Apt Get HowTo - a mental note

So that I don't lose it, I'm posting a link for an apt-get HowTo page. I can never remember the commands.

Tuesday, November 4, 2008

SANS Cyber Security Month - Summary and Links

SANS has been running a program where they have collected tips for the various phases of incident response for the past month. I have seen a lot of great tips submitted on the different days. In order to remember where the wrap-up post is, I am posting this link.


Oops - better upgrade Ubuntu

Last night I was using my laptop when it dawned on my that I hadn't received any security updates in a while. I think I was running 7.04, but I really can't remember; I know I had a 7.04 cd on the computer desk. Anyway, I decided to upgrade to the next release up (not the newest.) This site gave me all the info I needed. (And, according to the article, it looks like 7.04 reached end of life on October 19th. Which would explain why I had not seen any updates.)

And it went smoothly. It took a little longer than I thought, but otherwise, the upgrade went well. The only issue I found was that Thunderbird would not open after the install; I was getting a path error. I ran "whereis mozilla-thunderbird" and was going to use that path in my applet launcher. However, I mistakenly removed Thunderbird from the panel. I re-added the application, and presto, it worked like a charm. So, note to self, any app that does not work after the install: remove and add the icon to the panel first (before further troubleshooting.)

My plan is to upgrade to 8.04 next so that I'm on the latest stable version. I'll move to 8.10, but I want to wait for the bugs and kinks to be worked out.