Wednesday, December 5, 2012

Latest e-zines released

Two of my favorite e-zines have just released new issues:

I use Ubuntu a lot, though not as much as I would like to.  Full disclosure, I'm using an older distro, 10-something.  I have never been big on Unity, and my next full upgrade may not be pure Ubuntu, but a derivative.  Anyway, I read the Full Circle e-zine, and they just recently released a new issue.

Grab Issue 67 here.

I've been reading (In)Secure Magazine (e-zine) for many years now.  Yes, some of the articles are not the most current, though it would be very tough to put out a "zine" that was "that" timely.  But, I enjoy many of the articles and have learned a lot from reading the magazine.  It's one of those magazines I take with me on flights.

Grab issue 36 here.

I'm always open to reading new ezines.  Feel free to leave a comment on a zine you would recommend.

Tuesday, December 4, 2012

Searching for malware with Sysinternals tools

This is mostly a placeholder post so I know where to find this great video lecture.

Those of you that are constantly fighting malware may want to take a gander at this lecture as Mark's awesome tools are featured.

Log collection

A timely post by the Internet Storm Center.

I'm working on collecting logs at home and for the church.  Ultimately, at the church I want to set up something like Security Onion, but I need to start somewhere with incident response.  To that end, I want to aggregate logs.

The ISC post has great ideas and potential tools for capturing logs.

Saturday, November 3, 2012

Beware of Sandy Spam and Scams

It did not take long for the spam capitalizing on "relief efforts" for hurricane Sandy to start hitting my inbox.  Further, in my area, actual scams have been taking place.  For example, FEMA has only entered the area.  Yet, some residents report being contacted by FEMA representatives.  Also, we have "tree companies" casing the area ostensibly looking for work - and in reality, looking for empty houses.

Be careful on what you click.

Make sure who you are dealing with is who they actually represent.

Leaving phones/laptops unattended while charging

Like many places, we got hit hard by the hurricane.  We're without power, heat, and hot water.  We don't have a generator, so charging the myriad of gadgets has been problematic at best.  Some neighbors and friends who have power have been great.  And a couple of the local businesses and the local library have set up temporary "charging stations."  It has been a huge blessing.

However, some people haven't taken the security of the phones or laptops very seriously.  While in Walgreens charging my phone, I watched people hook their phones up to charge, then go shop; leaving the phones unattended.  While it would be hugely crass to take advantage of people in this situation, the security side of me can't help but cringe.  With so much of our lives tied into our phones (and laptops) it seems extremely foreign to me that I would leave my device unattended.

So please, take care of your phones and laptops...make sure that they are secure.

Putting a disaster recovery plan into practice

As a DoD auditor, I hammer DoD sites and entities for not having or not having adequate disaster recovery plans.  I got to put words to practice in my own life with the impact of hurricane Sandy directly impacting me.  In light of what happened, we are revamping our procedures and amending the plans that we already had.

For example, we had planned for wind damage, and the possibility of a power outage.  We didn't plan on evacuating...data from previous storms didn't indicate that we might have to worry about rising water.  However, with the storm picking up steam, hitting us three hours earlier than anticipated and during a high tide; the stream around us was 13' above normal.  Water poured all around the house, which led to a prompt evacuation.

So, with a new threat to add to the threat model, we are revamping our plan.  We are including many of the lessons learned from this event so that we are not caught off guard in the future.  Further, we're keeping the plan in a central location so that everyone can benefit from seeing it and putting it into place.

It would figure that we would not get a hurricane until the very end of hurricane season.  And we know that Winter is just beginning....we're bound to have a snow/ice event.

Monday, October 29, 2012

October 2012 DISA updates

It's been a while since I last posted....I've had a lot of irons in the fire lately.  And, it doesn't help that we have gotten really busy, or were.  Now, there are artifacts and documentation to create.

So, in doing some research for a particular client, I surfed over to DISA's site and found that they had released a whole bunch of STIGs for the quarter.  Here's the list that I found for October:

Network Infrastructure Router L3 Switch - Version 8, Release 12 - Updated October 26, 2012
Network Perimeter Router L3 Switch - Version 8, Release 12 - Updated October 26, 2012
Network L2 Switch STIG Version 8 Release 12 - Updated October 26, 2012
Network Policy - Version 8, Release 12 - Updated October 26, 2012
Network Other Devices - Version 8, Release 12 - Updated October 26, 2012
IPSEC VPN Gateway STIG, Version 1, Release 3 - Updated October 26, 2012
Network Firewall - Version 8, Release 12 - Updated October 26, 2012
Network IDS/IPS - Version 8, Release 12 - Updated October 26, 2012
Oracle 9 Database STIG, Version 8 Release 1.8 - Updated October 26, 2012
Oracle 10 Database STIG, Version 8 Release 1.9 - Updated October 26, 2012
Oracle 11 Database STIG, Version 8 Release 1.9 - Updated October 26, 2012
McAfee Antivirus Security Guidance - Version 4, Release 7 - Updated October 26, 2012
General Desktop Application STIG Version 4, Release 3 - Updated October 26, 2012
Microsoft Office 2010 STIG Version 1, Release 5 - Updated October 26, 2012
Microsoft Office 2007 STIG - Version 4, Release 9 - Updated October 26, 2012
Microsoft SharePoint 2010 STIG Version 1, Release 2 - Updated October 26, 2012
BlackBerry STIG - Version 2, Release 2 - Updated October 26, 2012
DoD Host Based Security System (HBSS) STIG - Version 4, Release 3 - Updated October 26, 2012
SPAN Keyboard Video Switch (KVM) STIG, Version 2, Release 2 - Updated October 26, 2012
SPAN Multi-Function Device (MFD) and Printer STIG, Version 2, Release 2 - Updated October 26, 2012
SPAN Storage Area Network (SAN) STIG - Version 2, Release 2 - Updated October 26, 2012
REL LAN STIG - Version 1, Release 3 - Updated October 26, 2012
Internet Explorer 6 STIG - Version 4, Release 7 - Updated October 26, 2012
Internet Explorer 7 STIG - Version 4, Release 8 - Updated October 26, 2012
Internet Explorer 8 STIG - Version 1, Release 8 - Updated October 26, 2012
Internet Explorer 8 STIG Benchmark - Version 1, Release 8 - Updated October 26, 2012
Internet Explorer 9 STIG Version 1, Release 3 - Updated October 26, 2012
Mozilla Firefox STIG - Version 4, Release 5 - Updated October 26, 2012
z/OS ACF2 STIG - Version 6, Release 13 - Updated October 26, 2012
z/OS RACF STIG - Version 6, Release 13 - Updated October 26, 2012
z/OS TSS STIG - Version 6, Release 13 - Updated October 26, 2012
zOS SRR Scripts Version 6, Release 13 - Updated October 26, 2012
Windows Vista STIG, Version 6, Release 1.27 - Updated October 26, 2012
Windows Vista STIG Benchmark Version 6, Release 1.27 - Updated October 26, 2012
Windows XP STIG, Version 6, Release 1.27 - Updated October 26, 2012
Windows XP STIG Benchmark Version 6, Release 1.27 - Updated October 26, 2012
Windows 2003 STIG - Version 6, Release 1.27 - Updated October 26, 2012
Windows 2003 DC STIG Benchmark Version 6, Release 1.27 - Updated October 26, 2012
Windows 2003 MS STIG Benchmark Version 6, Release 1.27 - Updated October 26, 2012
Windows 2008 STIG - Version 6, Release 1.20 - Updated October 26, 2012
Windows 2008 DC STIG Benchmark Version 6, Release 1.20 - Updated October 26, 2012
Windows 2008 MS STIG Benchmark Version 6, Release 1.20 - Updated October 26, 2012
Windows 2008 R2 STIG - Version 1, Release 6 - Updated October 26, 2012
Windows 2008 R2 DC STIG Benchmark Version 1, Release 6 - Updated October 26, 2012
Windows 2008 R2 MS STIG Benchmark Version 1, Release 6 - Updated October 26, 2012
Windows 7 STIG - Version 1, Release 10 - Updated October 26, 2012
Windows 7 STIG Benchmark Version 1, Release 14 - Updated October 26, 2012
Gold Disk (*PKI) - Updated October 26, 2012
IAVM to CVE Mapping Spreadsheet - Updated October 26, 2012
Draft Internet Explorer 10 STIG Version 1 - Updated October 24, 2012
2012 STIG TIM and DSAWG Schedule - Updated October 24, 2012
Draft Mobile Policy SRG, Version 1, Release 0.2 - October 19, 2012
STIG Viewer - Version 1.1.2 - October 19, 2012
IAVM 2012 - Benchmark (HBSS Only) (*PKI) - Updated October 15, 2012
Draft Traditional Security STIG - Updated October 15, 2012
Draft Application Server SRG, Version 1, Release 0.2 - Updated October 11, 2012
Mobile OS SRG, Version 1, Release 1 - Updated October 10, 2012

The STIGs with (*PKI) after the name need special credentials.

I noticed that Gold Disk was updated.  I thought I read that this is the last update for Gold Disk.  I have not used it in quite a while, as we have been transitioning to the SCAP Compliance Checker (SCC) for all of our SCAP content.  I do miss the MS Office checks and browser checks that were bundled in Gold Disk.  But, we're finding that scripting out SCC has been meeting our needs.

Thursday, September 27, 2012

New Google Chrome STIG, out in draft

While browsing DISA's STIG section today, I noticed an announcement for a new STIG for Google Chrome.  Note that the STIG is in draft.

You can get the STIG here.

Wednesday, September 26, 2012

Striking out on your own

I'm getting that itch to go back to working for myself exclusively.  Partly, I think it is because I'm passionate about the work I do on my own, and not so much the DoD contracting work.  Of course, the big fear is not making enough money.  And benefits.  And the marketing.

A while back, Hal Pomeranz put out a great series of articles about his experiences going it alone.  I'm linking them here as they have helped me, and others can get some benefit from them.

Enjoy.  And I hope they help you as much as they have helped me.

Part 1 - The Case for Consulting
Part 2 - An Important Cash-Flow Lesson
Part 3 - Billing Rates
Part 4 - Insurance Matters
Part 5 - Finding Work
Part 6 - Work Finds Experts
Part 7 - Work?  What Work?
Part 8 - Avoiding Overhead
Part 9 - Knowing When To Say When

Friday, August 10, 2012

A small business opinion

SANS had a great post the other day on protecting small- and medium-sized businesses.  As I have a small company that responds to many small-business incidents I tend to see first hand the whats and the whys.  Most of my work with my own company comes from a business that has been hacked or that gets some kind of malware infection.  And time and time again, when we go in to look at what happened, we see that there are no controls or very little controls in place.  And, nine times out of ten, the clients have no visibility to even see if there WERE things that might be amiss.  It's only when the pop-ups start, the browsers are hijacked, or the machine crawls that anyone decides to do anything.

So, we end up remediating.  Then we propose actions to take to prevent the issue from occurring again in the future.  Inevitably, I think it comes down to money.  The economy is tough.  Times are tough.  Businesses are scrapping just to stay afloat.  And, as such, whatever is not 100% necessary, or does not SHOW massive improvements to the bottom line gets dropped in favor of something that will help the company stay profitable.  I believe the mindset is that many times it is cheaper to slap band aids on the problem each time that there is an incident rather than fix the deep rooted issues in an attempt to stay safer in the long term.

Just what I've seen.

Tuesday, August 7, 2012

DISA Updates

It has been a while since I last posted....there has been a lot of travel and work of late.  However, while perusing DISA's STIG page, I came across the quarterly updates.

The following STIGs have been updated since I last wrote.  Note that STIGs and tools with (*PKI) will require authentication.

IAVM to CVE Mapping Spreadsheet - Updated August 3, 2012
STIG Viewer Beta - Version 1.1.0 - New August 1, 2012
DoD Host Based Security System (HBSS) STIG - Version 4, Release 2 - Updated July 27, 2012
Enclave Zone A Checklist - Version 4, Release 5 - Updated July 27, 2012
Enclave Zone B Checklist - Version 4, Release 5 - Updated July 27, 2012
Enclave Zone C Checklist - Version 4, Release 5 - Updated July 27, 2012
Enclave Zone D Checklist - Version 4, Release 5 - Updated July 27, 2012
Enclave Security Checklist - Version 4, Release 5 (*PKI) - Updated July 27, 2012
Network Firewall - Version 8, Release 11 - Updated July 27, 2012
Network IDS/IPS - Version 8, Release 11 - Updated July 27, 2012
IPSEC VPN Gateway STIG, Version 1, Release 2 - Updated July 27, 2012
Network Other Devices - Version 8, Release 11 - Updated July 27, 2012
Network Policy - Version 8, Release 11 - Updated July 27, 2012
Network Infrastructure Router L3 Switch - Version 8, Release 11 - Updated July 27, 2012
Network Perimeter Router L3 Switch - Version 8, Release 11 - Updated July 27, 2012
Network L2 Switch STIG Version 8 Release 11 - Updated July 27, 2012
RAS Remote Access Server STIG Version 2, Release 7 - Updated July 27, 2012
Remote Access Policy STIG Version 2, Release 7 - Updated July 27, 2012
Remote Access VPN STIG Version 2, Release 7 - Updated July 27, 2012
Remote Endpoint STIG Version 2, Release 7 - Updated July 27, 2012
Remote XenApp ICA Thin Client STIG Version 2, Release 7 - Updated July 27, 2012
z/OS ACF2 STIG - Version 6, Release 12 - Updated July 27, 2012
z/OS RACF STIG - Version 6, Release 12 - Updated July 27, 2012
z/OS TSS STIG - Version 6, Release 12 - Updated July 27, 2012
zOS SRR Scripts Version 6, Release 12 (*PKI) - Updated July 27, 2012
Windows 2003 STIG - Version 6, Release 1.26 - Updated July 27, 2012
Windows 2003 DC STIG Benchmark Version 6, Release 1.25 - Updated July 27, 2012
Windows 2003 MS STIG Benchmark Version 6, Release 1.26 - Updated July 27, 2012
Windows 2008 STIG - Version 6, Release 1.19 - Updated July 27, 2012
Windows 2008 DC STIG Benchmark Version 6, Release 1.19 - Updated July 27, 2012
Windows 2008 MS STIG Benchmark Version 6, Release 1.18 - Updated July 27, 2012
Windows 2008 R2 STIG - Version 1, Release 5 - Updated July 27, 2012
Windows 2008 R2 DC STIG Benchmark Version 1, Release 5 - Updated July 27, 2012
Windows 2008 R2 MS STIG Benchmark Version 1, Release 5 - Updated July 27, 2012
Windows 7 STIG - Version 1, Release 9 - Updated July 27, 2012
Windows 7 STIG Benchmark Version 1, Release 13 - Updated July 27, 2012
Windows Vista STIG, Version 6, Release 1.26 - Updated July 27, 2012
Windows Vista STIG Benchmark Version 6, Release 1.26 - Updated July 27, 2012
Windows XP STIG, Version 6, Release 1.26 - Updated July 27, 2012
Windows XP STIG Benchmark Version 6, Release 1.26 - Updated July 27, 2012
IAVM 2012 - Benchmark (HBSS Only) (*PKI) - Updated July 27, 2012
McAfee Antivirus Security Guidance - Version 4, Release 6 - Updated July 27, 2012
Internet Explorer 6 STIG - Version 4, Release 7 - Updated July 27, 2012
Internet Explorer 7 STIG - Version 4, Release 7 - Updated July 27, 2012
Internet Explorer 8 STIG - Version 1, Release 7 - Updated July 27, 2012
Internet Explorer 8 STIG Benchmark - Version 1, Release 6 - Updated July 27, 2012
Internet Explorer 9 STIG Version 1, Release 2 - Updated July 27, 2012
Internet Explorer 9 STIG Benchmark - Version 1, Release 2 - Updated July 27, 2012
Microsoft Office 2010 STIG Version 1, Release 4 - Updated July 27, 2012
Microsoft Office 2007 STIG - Version 4, Release 8 - Updated July 27, 2012
Gold Disk (*PKI) - Updated July 27, 2012
IAVM 2012 Benchmarks - Updated July 24, 2012
Draft Intrusion Detection and Prevention System SRG, Version 1, Release 0.3 - Updated July 17, 2012
Windows 7 STIG Benchmark Version 1, Release 12 - Updated July 13, 2012
Database Security Requirements Guide (SRG) - Version 1, Release 1 - Updated July 13, 2012

I made one edit to the list.  The list seems to indicate that the Enclave Zone A checklist was updated four times.  I looked, and found that Zone A, Zone B, Zone C, AND Zone D were updated.  I think it is just a typo in their list of checklists on the main STIG page.  Also note that Gold Disk has been updated. While we use the Gold Disk in limited situations, as auditors, we've been pushing the use of the SCAP Compliance Checker.  So far, we have not had problems; either scripting it out to many machines or in the returning of results.  We have, though, spent some time weeding out false positives.

Monday, July 2, 2012

DFIR Summit presentations and reviews

Alas, another year goes by, and I was not able to make it to the SANS DFIR Summit.  I've mentioned it in the past.  And this year, like previous, the company would not spring for it.  So, I have to live vicariously through the write-ups of those that got to attend and present.

I was real glad to see that SANS is hosting archives of the Summit, which you can find here.

And, I saw a whole bunch of write-ups of the event in my feed reader today.  I've listed them below.  As I see/read other write-ups, I'll add them to this list.

Harlan's write-up is found here.

Melia's write-up is here.

Frank's write-up is here.

Ken's write-up is here.

As I've said every year....I hope circumstances allow me to attend next year.  For now, I'll be pouring through the summit archives.

Wednesday, June 20, 2012

Girl, Unallocated's Forensic Report Writing Cheat Sheet

I know I haven't posted for a while, it's been slow going, on all fronts.  This post is mostly a mental note for myself, as I am sure I will need to reference it in the future.  A few weeks ago, Girl, Unallocated put up a great post on her methodology for creating a Forensic Report, post analysis.  The cool part is that in looking at the flowchart, there appears to be sections that can be built now, and filled in with details when the analysis is performed.  If I'm smart, I'll get to work on this now, and save myself the work later on.

I don't mind the writing aspect of the work.  Forensic reports or DIACAP packages, it doesn't matter to me.  The data and results has to be communicated to someone, and some type of report is necessary.  I suspect that that sentiment is true to almost all segments of the IT field.  But, good (report) writing helps us in our fields to better communicate what we find; and in turn, it helps others make decisions and/or judgements that lead to next steps.

I urge other forensicators to read her post, linked to here.




Thursday, May 31, 2012

To Screenlock or Not a mobile phone

Being a security guy, I keep security in the back of mind.  Quite often, I put that knowledge to use when I least expect it.  I've had a cell phone for quite a while, many years in fact.  I've never used anything like a screen lock; be it a password or a pattern lock.  And I've got two different ways of thinking.

1.  In order to be secure, I know that I should lock my phone.  That way, should I ever lose the phone, misplace it, or, the phone gets stolen, I'll have "some" barrier (however strong) to prevent the casual person from snooping on the contents.  I know that it won't stop a determined attacker, but it should stop the low-hanging fruit masses.  I've seen different locks, both password-type locks and pattern locks.  Either one would be fine by me.

2.  The other side of my brain says "Hey, what happens if you are in an accident and EMS needs your phone?"  Does EMS do that?  Meaning, do they go to victims phones to contact someone, or for identity?  Are they allowed to.  I remember seeing the "news articles" back when cell phones were getting more popular that you should have an "ICE Contact" (that's In Case of Emergency.)

So, what's a good choice?  What balances out security with peace of mind?  Am I mis-informed about what EMS can and can not do?

What's your opinion...

Tuesday, May 22, 2012

DISA STIG updates since I last wrote

I know it has been a while since I last wrote.  And since that time, DISA has updated many of their STIGs and benchmarks.  I've included the list below.  Be aware that any item with a "*" is located in the PKI-protected area.

Here's the list:

Internet Explorer 9 STIG Version 1, Release 1 - Updated May 21, 2012
Internet Explorer 9 STIG Release Memo - Updated May 21, 2012
Traditional Basic Checklist (*PKI) - Updated May 21, 2012
Traditional Common Compliance Validation Checklist (*PKI) - Updated May 21, 2012
Traditional NIPRNet Compliance Validation Checklist (*PKI) - Updated May 21, 2012
Traditional SIPRNet Compliance Validation Checklist (*PKI) - Updated May 21, 2012
IPSEC VPN Gateway STIG, Version 1, Release 1 - Updated May 21, 2012
IPSEC VPN Gateway STIG Memo - Updated May 21, 2012
IAVM to CVE Mapping Spreadsheet - Updated May 18, 2012
Policy Auditor / STIG Viewer Operational Guidance - Updated May 14, 2012
SCAP Implementation Process Guidance - Updated May 14, 2012
SCC 3.0.1 Read Me - Updated May 14, 2012
IAVM 2012 Benchmarks - Updated May 7, 2012
SCC 3.0.1 SCC DEBIAN i386 - Updated May 2, 2012
SCC 3.0.1 DEBIAN AMD64 - Updated May 2, 2012
STIG Library Compilation Bulk Download (.zip format) - Updated May 2, 2012
Windows 7 STIG, Version 1, Release 8 (*PKI) - Updated April 27, 2012
Windows 7 STIG - Version 1, Release 8 - Updated April 27, 2012
Windows 7 STIG Benchmark Version 1, Release 10 - Updated April 27, 2012
Windows 2003 STIG - Version 6, Release 1.25 - Updated April 27, 2012
Windows 2003 STIG, Version 6, Release 1.25 (*PKI) - Updated April 27, 2012
Windows 2003 DC STIG Benchmark Version 6, Release 1.25 - Updated April 27, 2012
Windows 2003 MS STIG Benchmark Version 6, Release 1.25 - Updated April 27, 2012
Windows 2008 STIG - Version 6, Release 1.18 - Updated April 27, 2012
Windows 2008 STIG - Version 6, Release 1.18 (*PKI) - Updated April 27, 2012
Windows 2008 DC STIG Benchmark Version 6, Release 1.18 - Updated April 27, 2012
Windows 2008 MS STIG Benchmark Version 6, Release 1.18 - Updated April 27, 2012
Windows 2008 R2 STIG - Version 1, Release 4 - Updated April 27, 2012
Windows 2008 R2 STIG - Version 1, Release 4 (*PKI) - Updated April 27, 2012
Windows 2008 R2 DC STIG Benchmark Version 1, Release 4 - Updated April 27, 2012
Windows 2008 R2 MS STIG Benchmark Version 1, Release 4 - Updated April 27, 2012
Windows Vista STIG, Version 6, Release 1.25 - Updated April 27, 2012
Windows Vista STIG, Version 6 Release 1.25 (*PKI) - Updated April 27, 2012
Windows Vista STIG Benchmark Version 6, Release 1.25 - Updated April 27, 2012
Windows XP STIG, Version 6, Release 1.25 - Updated April 27, 2012
Windows XP STIG, Version 6 Release 1.25 (*PKI) - Updated April 27, 2012
Windows XP STIG Benchmark Version 6, Release 1.25 - Updated April 27, 2012
z/OS ACF2 STIG - Version 6, Release 11 - Updated April 27, 2012
z/OS ACF2 STIG - Version 6, Release 11 (*PKI) - Updated April 27, 2012
z/OS RACF STIG - Version 6, Release 11 - Updated April 27, 2012
z/OS RACF STIG - Version 6, Release 11 (*PKI) - Updated April 27, 2012
z/OS TSS STIG - Version 6, Release 11 - Updated April 27, 2012
z/OS TSS STIG - Version 6, Release 11 (*PKI) - Updated April 27, 2012
zOS SRR Scripts Version 6, Release 11 (*PKI) - Updated April 27, 2012
Network Firewall - Version 8, Release 10 - Updated April 27, 2012
Network IDS/IPS - Version 8, Release 10 - Updated April 27, 2012
Network Other Devices - Version 8, Release 10 - Updated April 27, 2012
Network Policy - Version 8, Release 10 - Updated April 27, 2012
Network Infrastructure Router L3 Switch - Version 8, Release 10 - Updated April 27, 2012
Network Perimeter Router L3 Switch - Version 8, Release 10 - Updated April 27, 2012
Network L2 Switch STIG Version 8 Release 10 - Updated April 27, 2012
Internet Explorer 6 STIG - Version 4, Release 6 - Updated April 27, 2012
Internet Explorer 7 STIG - Version 4, Release 6 - Updated April 27, 2012
Internet Explorer 8 STIG - Version 1, Release 6 - Updated April 27, 2012
Internet Explorer 8 STIG Benchmark - Version 1, Release 6 - Updated April 27, 2012
Mozilla Firefox STIG - Version 4, Release 4 - Updated April 27, 2012
Microsoft Office 2010 STIG Version 1, Release 3 - Updated April 27, 2012
Microsoft Office 2007 STIG - Version 4, Release 7 - Updated April 27, 2012
Microsoft Office 2003 STIG - Version 4, Release 3 - Updated April 27, 2012
McAfee Antivirus Security Guidance - Version 4, Release 5 - Updated April 27, 2012
General Desktop Application STIG, Version 1, Release 2 - Updated April 27, 2012
General Mobile Device (Non-Enterprise Activated) STIG Version 1, Release 2 - Updated April 27, 2012
DoD Host Based Security System (HBSS) STIG - Version 3, Release 6 (*PKI) - Updated April 24, 2012
Gold Disk (*PKI) - Updated April 23, 2012
SCAP Tools (SCC 3.0.1) - Updated April 17, 2012

Tuesday, May 1, 2012

Guides for locking down Twitter, Google+, Facebook and LinkedIn

Chief Monkey put up a post the other day on locking down some of the big Social Media websites.  As the security policies change it can be harder and harder to keep track of what the actual settings are.  Read the post, it's good stuff.  Here are the direct links to the guides:

Twitter

LinkedIn

Google +

Facebook

As the Chief mentions, it will help friends and family lock down their accounts keeping people (and their information) safer.


Thursday, April 26, 2012

Passed my SANS GCIH recert

Part of what has kept me busy over the last couple of weeks has been my studying for the SANS GCIH.  I knew about the various methods of re-certifying, but opted to just retake the test.  The books/media were shipped to me and I got busy with studying, especially the updates.

I really liked what was added to the course.  The material is current and relevant to what we as incident responders are seeing.  I had my books from my original certification and I quickly transferred my notes and highlighted what was new.  And, I transferred all of my stickies and flags from the old books to the new books.  That sentence should be bold, flashing, and scrolling.  I feel that knowing where the material is in the books is one of the key factors to helping you pass and not waste time.  The exam is challenging, even with open books, and it is easy to use up the time.  Knowing where specific topics are in the books only helps your chance of getting a better grade.

I didn't do it this time, but I will the next time.  I'll copy the table of contents to the front of the books so that I don't have to open them, I'll know exactly where to turn to.  But, it helps that I knew the material in the first place.  And, I'm passionate about incident response and forensics.  It makes learning, or remembering, the information that much easier.

I've been toying with the idea of doing/submitting a Gold paper this time.  However, I really don't have an idea of what to research/write about.  Feel free to leave suggestions in the comments.

Tuesday, April 24, 2012

Yep, got tickets...

Just a quick post.....yep, I got tix.  I'm glad.  I haven't missed a tour in a long time, and I didn't want my streak broken.  I've heard a lot of good things about this tour, so I'm excited to go.

A good way to follow the tour is through Backstreet's Setlist page.

DFIROnline Meetups

I know that this is a little late, I've been a little busy and life has gotten a little hectic. However, I want to thank Mike for hosting the DFIROnline meetup on Thursday.  I've known about the meet-ups, last Thursday was the first time I was able to attend.  The community is warm and welcoming, and both topics were well presented.  I learned a lot.  Girl Unallocated's talk on CCleaner was great to hear, and I learned more about looking for CCleaner artifacts when analyzing a system.  And Kevin's presentation on data recovery was simply amazing.  I wish I had a lab like that.  Holy Cow.  I had to wipe the drool up a couple of times.

Mike has the schedule posted here

I certainly plan to attend the next meeting.  And who knows...somewhere down the line I would give a presentation.  Just don't hold your breath, it will be a while.

Now, if I would only get on Twitter, I could probably engage in the chat box more.


Friday, March 30, 2012

Visa and MasterCard confirm breach

It broke today that Visa and MasterCard announced that a processor of their credit cards had been breached and allegedly more than 10 million credit card numbers have been stolen.  A couple of posts/articles that go into more depth are here:

Brian Krebs' KrebsOnSecurity
ZDNet's Zero Day
Sophos' Naked Security

While I had read the posts/articles earlier this morning, I just got "the call" from my credit card company this evening.  This has happened to me before, a long time ago when Egghead Software was breached (that had to be mid-90s, right?)  What a pain to have go through the rig-a-ma-roll again.

Allegedly, the processor is Global Payments.  It will be interesting to see if they are/were PCI compliant.  Further, it will be interesting to see if details of the breach emerge.

Global Payments has an announcement on their website.

What bothers me is that they determined that there was a breach in early March, took steps, yet announced today.  I would be interested in hearing what caused the delay.

Friday, March 23, 2012

DISA auditing of a SQL 2005 Express database

On my upcoming trip, I have to audit a SQL 2005 Express database and hold it accountable to the DISA SQL Server 2005 checklist.  I know that there are parts of the checklist that will be "Not Applicable" as Express just doesn't have all of the features that Server has.  My plan is to run the Microsoft SQL Server SRRs against the database, then connect and check as many of the manual checks as possible.

To connect to the database, I plan on use OSQL.  In this case, my command will be:

osql -E   - which will connect me to the database (assuming that it is the default.)

osql -E -S \instance name     - I'll use this if they have changed the instance name.

Upon connecting, I should be able to run any of the manual sql that is listed in the checklist in order to answer the controls.

(In an unclassified environment, I would bring along QueryExpress.exe and connect to the database that way to run queries.)

Thursday, March 22, 2012

A great messenger bag idea

Just recently, I had been thinking of switching from a backpack to a messenger bag for carrying all of my tech gear.  Don't get me wrong, my backpack has served me well over the years; in and out of airports, all over the U.S. It's a Swiss Gear Synergy, and I truly love it.  However, I'm not afraid to admit, it's a little large; it holds all of my stuff, with quite a bit of room to spare.  A couple of weeks ago I saw a neat messenger bag, and it got me to thinking.  The bag I saw wasn't too big, yet still seemed to have a lot of space to carry plenty of gear.  As I am frequently on a plane, I was looking for something that fits under the seat nicely, something my backpack does occasionally (depends on the plane.)

Yesterday, while reading Phandroid, I saw a review for a Powerbag.  While they make backpack and slings, I thought their messenger bag was pretty cool.  Here's Phandroid's review.  I would like to actually see one of these in a store somewhere so that I can check the size and weight; but it really looks cool.  The added bonus is that you can charge the phone, etc.

Text/Character Encoder

I was given this encoder in a class.  Recently, I was looking for the link and it took me forever to come up with it.  This post is just a bookmark for me.

Character Encloder

Wednesday, March 14, 2012

DISA Updates - Windows 7 STIG benchmark and a master list of STIGs

While checking DISA for specific guidance today, I noticed two updates.  The first update is for the ninth release of the Windows 7 STIG benchmark.  The current version is: Version 1, Release 9.  This was actually released on 12 March.  The second update I noticed is a Master List of STIGs.  To me, this is awesome, because sometimes I forget which category a particular STIG is housed.  Click here for the master list of STIGs.  (Be advised that some STIGs are in the CAC-protected section of DISA.)  The master list was released on 8 March.

Wednesday, February 29, 2012

Blackberry and General Mobile Device STIGs released

A couple of new STIGs and guides have been released over the last couple of days:

  • IAVM to CVE Mapping Spreadsheet - Updated February 24, 2012

  • Windows 7 STIG Benchmark Version 1, Release 8 - Updated February 22, 2012
  • IAVM 2011 Benchmarks - Updated February 22, 2012

  • IAVM 2012 Benchmarks - Updated February 22, 2012

  • BlackBerry STIG - Version 2, Release 1 - Updated February 20, 2012

  • IAVM to CVE Mapping Spreadsheet - Updated February 17, 2012

  • General Mobile Device (Non-Enterprise Activated) STIG Version 1, Release 1 - Updated February 16, 2012

Thursday, February 23, 2012

Is Firefoxforensics.com down? Missing? Replaced? Upgraded?

An anonymous commenter on this post mentioned that Firefoxforensics.com was down.  I've checked over the last couple of days, and the site can not be found by various browsers.  Whois says the domain is still good.  Has anyone heard if it is down for good?  Or, since Firefox is up to version 10, are there new tools replacing F3E?  I may have missed an announcement, if so, feel free to clue me in. 

Monday, February 20, 2012

Life Update

I know I haven't posted in a while.....

Firstly, I've been getting upset frustrated with DoD auditing in support of DIACAP, or whatever it is going to be called in the future.  After doing this auditing for close to four years, I see numerous problems with no clear-cut solution.  But, that is a post for another day.  I'll still post DoD IA posts, but expect to see more incident response / digital forensics posts.

While I started my post-college career in software development, specifically COBOL, I figured it was time to learn a scripting language.  Currently, I write many of my auditing tools using vbscript, however, it is not portable across multiple platforms.  After thinking about it for a while, I've decided to teach myself Python; so there could be some Python posts in the future.  Many of the open source DFIR tools that I've seen/used are either written in either Perl or Python, so it's high-time I learned one of those languages.

Finally, if there are (larger than normal) gaps in posting, it is because I am studying for my SANS GCIH re-certification.  Without realizing it, I took my GCFA class outside of the window where I could have used it for my GCIH re-certification credits.  Fortunately, I really like the material in the GCIH, and I put much of it into practice.  It's been fun to read the updated manuals and go through the DVD with new and updated software.

Thursday, February 9, 2012

Ovaldi error message: missing MSVCP100.dll

I downloaded the new version of Ovaldi.exe the other day, version 5.10.1.1.  After ensuring that I had the correct definition file, I kicked off a scan on a Windows 7 machine.  Rather quickly, I received the following error message:
I would love to hear any ideas to solve this.  I don't see the DLL in the zipped up package, and I don't know if this is a DLL typical to Windows 7 machines.  Googling the DLL did not yield any obvious solutions.  For the time being, I rolled back to the 5.9.1 schema, but I would like to use a newer version.

February DISA and Mitre updates

I received an email the other day that DISA has released a draft of the Internet Explorer 9 STIG.  Comments need to be submitted by 21 February.

Further, while updating my Oval definitions today, I noticed two definition files I had not seen before:  XP Media Center Edition and XP Tablet PC edition.  They might have been there a while, but it is the first time I have seen them.  (And in reality, I have not come across those editions in the DoD world, yet.)

Thursday, February 2, 2012

First Quarter 2012 STIG releases

Over the past couple of weeks, DISA has released their updates to various STIGs.  From what I have been able to compile, the following STIGs and benchmarks have been updated:

Windows 7 STIG Benchmark Version 1, Release 7 - Updated February 1, 2012
Draft IPSEC VPN Gateway STIG - Updated January 31, 2012
Draft IPSEC VPN Gateway STIG TIM Memo - Updated January 31, 2012
Draft IPSEC VPN Gateway STIG Comment Matrix - Updated January 31, 2012
IAVM to CVE Mapping Spreadsheet - Updated January 27, 2012
Microsoft Office 2007 STIG - Version 4, Release 6 - Updated January 26, 2012
Internet Explorer 7 STIG - Version 4, Release 5 - Updated January 26, 2012
Windows 2008 R2 DC STIG Benchmark Version 6, Release 3 - Updated January 25, 2012
Windows 2008 R2 MS STIG Benchmark Version 6, Release 3 - Updated January 25, 2012
Windows 2008 DC STIG Benchmark Version 6, Release 1.17 - Updated January 25, 2012
Windows 2008 MS STIG Benchmark Version 6, Release 1.17 - Updated January 25, 2012
Windows 2003 DC STIG Benchmark Version 6, Release 1.24 - Updated January 25, 2012
Windows 2003 MS STIG Benchmark Version 6, Release 1.24 - Updated January 25, 2012
Windows XP STIG Benchmark Version 6, Release 1.24 - Updated January 25, 2012
Windows Vista STIG Benchmark Version 6, Release 1.24 - Updated January 25, 2012
Network Firewall - Version 8, Release 9 - Updated January 25, 2012
Network IDS/IPS - Version 8, Release 9 - Updated January 25, 2012
Network Policy - Version 8, Release 9 - Updated January 25, 2012
Network Infrastructure Router L3 Switch - Version 8, Release 9 - Updated January 25, 2012
Network L2 Switch STIG Version 8 Release 9 - Updated January 25, 2012
Network Other Devices - Version 8, Release 9 - Updated January 25, 2012
RAS Remote Access Server STIG Version 2, Release 6 - Updated January 24, 2012
Remote Access Policy STIG Version 2, Release 6 - Updated January 24, 2012
Remote Access VPN STIG Version 2, Release 6 - Updated January 24, 2012
Remote Endpoint STIG Version 2, Release 6 - Updated January 24, 2012
Remote XenApp ICA Thin Client STIG Version 2, Release 6 - Updated January 24, 2012
JVAP Administrative STIG Version 3, Release 13 - Updated January 24, 2012
DoD Host Based Security System (HBSS) STIG - Version 3, Release 5 - Updated January 24, 2012
Windows 2008 R2 STIGS - Updated January 24, 2012
Windows 2008 STIGS - Updated January 24, 2012
Windows 2003 STIGS - Updated January 24, 2012
Windows 7 STIGS - Updated January 24, 2012
Windows Vista STIGS - Updated January 24, 2012
Windows XP STIGS - Updated January 24, 2012
Gold Disk (*PKI) - Updated January 23, 2012
zOS STIGS - Updated January 23, 2012
zOS STIGS (*PKI) - Updated January 23, 2012

Friday, January 20, 2012

Funny keyword search results

This cracked me up.  A friend of mine is doing a forensics analysis of a laptop that belonged to a software developer in a company.  He was told to do a search for suspected pornography on the machine, and to include the actual word "porn."  What came back in the search?

XPorNewer

Saturday, January 14, 2012

Command Cyber Readiness Inspection

In the coming weeks I will be traveling to a base in order to help them prepare for a Command Cyber Readiness Inspection.  I have never participated in one of these, typically I am auditing a system for certification efforts.

As far as I understand, DISA picks the unit/system that is undergoing the inspection.  There are a series of checklists that they will use and that must be completely filled out.  It also appears that they will Retina scan the entire system.  In addition to helping the unit prepare by running a "pre-audit" we will be ensuring that documentation is complete and up-to-date.  Our only "true" deliverable will be a POAM so that the unit knows what they need to fix or update before the actual inspection takes place.

I would be interested in hearing more about the mechanics of a CCRI; who gets selected, why, etc.

Monday, January 9, 2012

Sharepoint 2010 and Apache STIGs have been released for January 2012

I received an email that DISA has released the Sharepoint 2010 and Apached Web 2.0 and 2.2 checklist for Windows and UNIX.  The requirements for both of these STIGS are effective immediately.

Thursday, January 5, 2012

Tr3Secure Data Collection script

The other day, I saw a post on Corey's blog (Journey Into Incident Response) that was really cool.  He released a script that quickly grabs volatile information from a possibly compromised machine.  His post documents the why's, the tools, and the framework of the tool; so I'll let you read the post rather than summarize.

What I'll add is that this script does a lot of great things.  I pulled down the dependencies and started testing the script out on some of our test laptops.  The laptops that I've used have been a mix of Windows XP and Windows 7 machines with various amounts of RAM.  The script has run quickly, and efficiently formats the output for analysis after the fact.  Some of the tools I was familiar with, and there were some new tools there that I will give further study to.

I will be using this script (as I get more familiar with it) on machines that I receive when collection of volatile data is paramount.  Further, after learning some new tools, I will be incorporating some of the methodologies into DoD auditing.  Certainly, I see the potential to replace some of the WMI calls I use when grabbing information from machines we are auditing due to improved output.

Another plus I see in the usage of this script is that the script runs from a .bat file.  Most of my scripts have made heavy use of cscript/wscript; and I've found that cscript/wscript is not installed on all machines.  Batch files tend to run on all machines.