Friday, December 20, 2013

Is Feedly down or broken? - FIXED

I've been using Feedly to replace my Google Reader, and have liked it a lot so far.  However, I'm trying to log in today, and I cannot get a login page.  All I see at is a white screen.  I'm looking at the source, and I can't tell if the page is broken, or something else is going on.  All I see are the meta tags, and a script that appears to force the page to

Other pages appear to work, like About, Help, Community, Publishers and Blog.

Is it me?  Anyone else experiencing this issue?

It looks like it was in the new implementation of authentication.  Ok, stand down.  Nothing to see here.

Wednesday, December 18, 2013

Taking stock

Now that I've gotten into the groove so to speak, I can reflect on what I've seen in the new position.  Here are some of the projects I'm working on.

I have started to build out a security awareness program.  This program is going to focus heavily on phishing, but will also include a monthly email, a blog, and an internal site to check email addresses against data breach datasets.  The monthly emails will feature a unique topic on information security as a method to educate the users.  I started a blog to post information security stories that the user base can learn from and to read about non-mainstream stories.  As for phishing, we'll be making heavy use of PhishMe.

I'm also starting to build a vulnerability management program.  Right now, there are no internal vulnerability scans performed on the user-space. And really, from what I've seen, the external scans (performed by a managed service) are sorely lacking.  For low-hanging fruit, I've purchased a Nessus license and will start working on internal assesses.  I will also start working on the servers, but I know what I will find, and I know it will be very hard to change the culture of non-patching.  I'm afraid of what it will take to make the changes to install a regular patch management program.

The results of my mini-gap assessment have shown me where there are many opportunities to get better.  I plan on using the SANS Top 20 Controls in order clip the low hanging fruit and make improvements.

Right now my most tangible success has been the creation of a "security server" where I'll be able to stage vulnerability scans, pen tests, and other security tasks.  I'm also in the process of building a "scanning" account to be used by the tools such that we should ONLY see this account used during security engagements...any other use may indicate an incident.

Finally, I'm working on information sharing.  I firmly believe that the sharing of information by the Good Guys helps us combat the Bad Guys.  To that end, I started working as our company's representative to one of the sharing resource centers.  Down the line, I hope to get involved with Infraguard as well.

It's been a busy two months....and I only see it getting busier.

Tuesday, December 3, 2013

New (In)Secure Magazine

I just received notification that the new issue of (In)Secure magazine has been published.

You can get it here.

Sunday, November 10, 2013

Blocking Dynamic DNS sites

Going through proxy and DNS logs, I noticed that (as a whole) the company has not been blocking sites categorized as "Dynamic DNS."  I discovered this while reviewing a "security" report that lists the various site activity that would fall into the generic "security" report.  Interestingly enough, no Dynamic DNS sites were blocked.

Dynamic DNS is hosting for sites that do not have static IP address.  Mostly, it is used by three types of users:  hobbyists who do not want to pay for a static IP address for their site; spammers and scammers; and sites that are out rightly malicious.  Bot herders prefer to use Dynamic DNS sites as they can rotate servers in and out of rotation in order to make it more difficult to track down and mitigate.  Further, many times the registrar information for suspicious sites is obfuscated in order to make it harder to find the owners.  There is rarely a business case to allow Dynamic DNS sites.

With those points in mind, I presented the case to block all Dynamic DNS-hosted sites.  If there are truly legitimate sites that users need to access, we can re-evaluate on a case-by-case basis and adjust the filters.  So far, it looks like the decision has been favorable.

Tuesday, November 5, 2013

Learning Python post updated

Just a quick post:  I've updated my post on Learning Python thanks to the great suggestions from the SANS DFIR list.

The updated post can be found here.

Monday, November 4, 2013

First Day

Today was a great first day, I'm glad I made the move to the new company.  So far, I've learned that most of the security controls are outsourced, managed by many of the big providers.  I think one of our tasks will be to aggregate data from those outsourced providers.

And, it looks like I'll get to go to my first conference, as we will be going to RSA in February.  I'm psyched as I've never really gone to a security conference before.

Friday, October 25, 2013

When the change was made uptown...

Actually, I work downtown.  Or worked.  I'm glad to say that I'm moving on.  While I don't regret the time spent in my current location, the job did not work out.  My co-worker said it best when she was cornered by our Vice President on why I'm leaving:  "Expectations were not met."  Clearly, I learned a lot while I've been here, it has been a rewarding experience. And, I'd do it again, because you learn from every opportunity.  But, I could not see myself here in any number of years.

So, I'm moving on.  I've taken a position where I will be building out a security department for a company.  Basically, I'm on the ground floor.  They have a bunch of controls in place, but very disparate, and not centrally managed.  And, I'm sure when I start gap analysis, I'll find a whole lot missing.  But that's ok, as there will be opportunity to grow and put a stamp on things.  It will good to see the company move in a positive security direction.

Will there be challenges?  I expect it.  I'm sure that there will be lots of pain implementing some of the controls.  And, while I know that there is (some) management buy-in (heck, they created this position) I'm sure there will be tons of operational pushback.

I hope that this means I will be posting more.  Certainly, I will not be posting specifics.  But, I will chronicle the process of building out security in the enterprise.  I'll tell of what works and what does not.  I'll post some reviews of success, and I'm sure there will be plenty of lessons learned.  Finally, you will probably see posts looking for advice or recommendations.

Monday, September 16, 2013

Feedly is the feedreader at the moment

I wanted to upgrade a post from a while ago.  When Google Reader went dark, many went scurrying to find a new reader to replace the feed curation that Google Reader provided.  For a while, I started using CommaFeed, which seemed to be pretty good replacement for Google Reader.  The only real issue I had was that it did not seem to update as fast as other readers.  I was continuously hearing about posts that I should read, only to find them in CommaFeed a day or two later.  Otherwise, I really liked it, as it was SO similar to Google Reader.

However, I gave Feedly a try, and I have to say, I'm impressed.  Sure, it's just a tad different from Google Reader, but it was easy enough to get the hang of it.  I've been using it a couple of months now, and I really do not see myself changing.  The only nag I have is that I cannot search my feeds for a particular topic/post.  I do see that now with Feedly Pro, you can pay to get a couple of extra benefits.  But, since I don't search the feeds "that" often, I'll wait until there is a pressing need.

Friday, September 13, 2013

Unix Antivirus software

I know, it has been a long time since I last posted.  That's a post for another day.  I'll get to that, but at a later date.

However, I was given a task today, and I didn't know where it would lead.  Specifically, a customer wanted some information on antivirus software for Unix/Linux servers.  Why I was given the task is another mystery, but it was up to me to provide an answer to the customer. (I'm not a *nix guy, I'm "ok" with it, but I don't work much in that environment.)

I fully admit, I did not know anything about the unix/linux antivirus space.  But, doing some digging I learned a couple of things.  There are plenty of antivirus software packages to choose from.  And, they fall all over the spectrum for services.  Of course, the heavy hitters of antivirus software include offerings for *nix machines.  I was surprised that there were as many others as I found.  Some filled specific niches, like a mail server.  At least one was target ONLY to the *nix environment.  Prices were all over the place, and service differed greatly depending on who you were looking at.  I'm including the list below as a note so that if I have to do this research again, I'll know where to start.

Symantec Endpoint Protection

Software not listed here is only not listed because I did not know about it, or it did not immediately meet my customer's needs.  If I blatantly missed something, leave it in the comments.

Monday, May 27, 2013

Testing out CommaFeed to replace Google Reader

In order to replace Google Reader, I've been looking at different platforms and companies.  I had been set on migrating to Feedly until I saw this come across my desk.  CommaFeed is an open source web application that comes pretty close to replicating Google Reader.  Actually, it has a couple of features I did not see in Google Reader (like showing feeds that are non-existent in another color.)  I'm not very social with my news, I use the reader to aggregate it for me.

So far, I'm impressed with CommaFeed; I like it a lot.  The proof will come in the next couple of weeks as I put it through it's paces.  This appeared to be a light weekend, without an influx of many posts; so it is tough to gauge.  But we'll see.  Should I move on to another reader, I'll update this post.

WhiteHat Security's interview with a Blackhat

These links came through my blogreader over the last couple of days.  WhiteHat Security ran an interview with a reformed/converted blackhat hacker.  The interviews give a good insight as to what some companies are not doing right, and help show what should be done to tighten the defenses.  Be warned, some of the language might not be work-safe.

Part 1

Part 2

Part 3

Thursday, April 25, 2013

Learning Python - links for learning

I've been slowly learning to code in Python; mostly I've been using Learn Python the Hard Way.  So, it was great to see Mike's post on with great useful Python links.  Unfortunately, I missed that episode of the DFIR Online Meetup, but I'm thankful that he posted up all of his links.

Mike's links:
Link to Python resources.

edit 11/5/2013 to add:

A large list from GitHub

Google Developers

Think Python


edit 3/24/2014, to add from Harlan's blog:
World's Best Learning Center
80+ Best Free Python Tutorials/books
List of Free Python Books

Tuesday, April 23, 2013

Verizon Data Breach Investigations Report and Insider Threats

The 2013 Verizon Data Breach Investigations Report (DBIR) is out and there is lots of excellent information.  I have only had a chance to scan some of the information and read some of the analysis and posts.  One post I took note of came from DarkReading and discussed the Insider Threat numbers.

You can read the post here.

The full 2013 DBIR can be found here.

Monday, April 22, 2013

Hostgator post on an insider attack

Another day, another insider attack.  This one was detailed by Hostgator.  The link is to the post from NakedSecurity and their writeup of the breach - and how the insider got caught.

Here's the story.

Sunday, April 21, 2013

TechNiki describes an insider attack

The more companies share about the attacks and breaches, the more the community learns.  This is good for the community for two reasons.  One, we can all learn from actual incidents and two, the bad guys share intelligence - we should too.  So, it was great to read TechNiki's account of an insider attack.  Not good because it happened; but because we learned some of the insider controls that were breached.

This is a great write up, hopefully we can all learn something.

TechNiki's write up.

Saturday, April 20, 2013

Breaking radio job!

I know it has been a while since I have posted here; but lots has changed.  I have left the DoD contracting realm and moved on to a (very) large company where I work on their national incident response team.  The team is big, and my specific group gathers intelligence on the current persistent threats and implements controls to thwart those threats.  Of course, we're all incident handlers at heart, so when the alerts go off, we get dirty in the incident response process.

I absolutely love it.  Along with my other duties, I'll be delving into intrusion detection; something I do not have much experience doing.  Because of who my employer is, I am not at liberty to discuss the specifics of what we do, the incidents we face, and any of the specific threats we are combating.  A), I have a non-disclosure agreement.  B) Obviously, I can't give away secrets that would aid the adversaries.

However, I plan to keep the blog alive, talk incident response, intrusion detection, the state of those niches in incident response, and other current security issues that fit that mold.  Within incident response, I'm passionate about incidents dealing with the trusted insider - so there may be some posts in that vein.

Stay safe.

Monday, March 18, 2013

I wish Google Reader wasn't going away

I'm an avid Google Reader user, I like how the interface is easy to navigate and get right to new posts.  I'm not too social with my posts, I'm not "liking" them, sharing them, or starring them.  Losing that functionality in the past did not bother me.  So, I was not pleased to hear the other day that Google Reader is going away.  I'm looking into alternatives.

Feedly, right now, is my top choice for a replacement.  I especially like that there is an Android application and they are trying to stay close to the Google Reader format.

NewsBlur looks promising too.  However, I was not really looking to pay for usage.  However, $1 a month is not going to break the bank.

The Old Reader is another company that looks promising.  Also, it is another company in the Google Reader vein.

NetVibes looks interesting, but as of yet, I do not see a mobile application yet.

I've tried Pulse, but I think I saw that you can only have 20 feeds in the feedreader portion of the application.  It was visually stunning, but I have way more than 20 feeds that I follow.

There are some other readers listed in a great Gizmodo post.  As I look at other applications, I'll update this post.

I saw a petition that had over 100,000 signatures.  I'm not sure what kind of good that will do.  My wish is that Google would leave the code as is, and just make the nominal, important security patches.

FWIW, my requirements are for a simple reader, I do not need the flashy magazine look.  I would prefer an Android app, so I can peruse articles in my spare time and not be tied to the computer.  I do not need the ability to share/broadcast/like etc., stories.  And, any application where I can port over my feeds would be a plus.  Yes, I know Google has the Google Takeout service, but not every application makes perfect use of it.

Edit 3/19/2013:  Two other readers I have discovered but have not researched:


Wednesday, March 13, 2013

New (In)Secure magazine out

I just received an email today that the new edition (number 37) of (In)Secure magazine is out.

You can get it here.

Tuesday, March 5, 2013

Windows 8 STIG released

The other day, DISA released a Windows 8 STIG.  At the present time, the STIG appears to be entirely manual in process as I do not yet see a SCAP benchmark for it.

So far, in the field, I have not come across any Windows 8 systems.  When I do, I will post my reactions to running an audit against the STIG.

Thursday, January 24, 2013

DumpEventLog is a great tool to parse Windows event logs

We have an instant messaging server in the office which helps with communication with those employees that telecomute.  The server is running OpenFire (I think) and the clients are using Pidgin to connect and instant message.  I'm not much of an administrator, so I can not comment on how good the tools actually are.  But, as a user, I find great value in being able to reach out to anyone and have a quick conversation without having to wait for email or the like.

That said, our Pidgin server has been going down with some regularity; roughly once a month, but sometimes a bit more.  And when it goes down, it takes forever to come back up.  The usefulness as a tool has been diminishing. 

As an incident response guy, one of the first things I wanted to see was the logs.  But, I did not know a way that I would be able to read the logs short of logging in to the server...and I did not have credentials (I'm not an admin.)  I looked for, and found, this script, DumpEvenLogs.vbs.  The script was suitable for me to give to an admin to run and provide the results back to me.  And, there were a couple of canned scripts to look at some of the low hanging fruit (failed logons, user accounts created, abnormal shutdowns, etc.)  The data returned to me was easy enough to read, and in a format that I could look at whatever criteria I wanted.  Ultimately, I filtered the data on date, and was able to pin down that the machine was hanging upon reboots after applying patches.  Rather benign.  But, having this tool helped solve the problem.  As for the server issue.....that hasn't been fixed, but at least we know when to expect it to go down again next.

Tuesday, January 22, 2013

ESXi, Google Chrome, and Exchange 2010 STIGs released

I happened to be browsing DISA's site when I saw that the following STIGs have been released:

  • ESXi 5 (Draft)
  • Google Chrome (both a benchmark and a STIG)
  • Exchange 2010

This is great news in regards to ESXi, as many times we run across ESXi in the field.  While the guidance is to use ESX, most entities migrate to ESXi for cost.  And the guidance does not translate to ESXi, it's just a different animal.  So, I'm glad DISA has released ESXi guidance.  Further, adding a benchmark for Google Chrome will make auditing those systems with Chrome installed much easier.

Thursday, January 3, 2013

Incident response and insider threats

I mentioned yesterday that I was sorting out what I wanted to accomplish and where I would like to focus my activities in the coming year.  Heck knows, I am nowhere near ready to make a break and start something new or in a different direction.  However, during some of my free time (walking the pooch or driving to work) I've had a chance to mull over additional areas of this niche in computer security. 

One area that fascinates me to no end is the management of the insider threat to the organization.  And I think, to some degree, I want to move into an area where I have the ability to help mitigate and protect from that threat.  By doing so, I'll get to leverage my passion for incident response and to some extent, digital forensics.  At least, it is something to look forward to.

I noticed a post go through my blog reader today that the CERT Insider Threat team released another great resource.  I've just downloaded it:  The Common Sense Guide to Mitigating Insider Threats, 4th edition.  I haven't read it yet (I think I saw it is 144 pages.)  I'll get on it shortly.  But, if it is like their book, The Cert Guide to Insider Threats, then I'm sure it will be great.

Something else that is somewhat nagging at me is that I know my technical skills are starting to slip.  (Heck, many many years ago, my first coding forays were in COBOL, I don't know how much I could write in that language.)  I know that the DFIR community works a lot in Perl and Python.  I had started to teach myself Python early last year, but without having an active project to work on, I find that I can't keep the skills sharp.  So, I plan to remove rust, and get myself as technical as practical.

Finally, one of the tools I really want to get better aquainted with is the Security Onion, a tool that I think has plenty of value for incident responders, and network defenders in general.  I just saw today in a post that version 12.04 has been released.

Wednesday, January 2, 2013

A new year

Happy New year!

I wanted to call out the top posts of the years, and maybe throw in some other cool stats.  But I can't figure out how to see my stats for just the calendar year.  I see week, month, and all-time options.  I just want year.  If you know how to get those stats, leave it in the comments.

I'm sure it is going to be a busy year in the IA world.  The DoD is always changing, and we seem to be picking up new clients and ACA offices to work with.  So, I'm sure that there will be new DoD/IA posts in the future.

My passion still lays in the IR/Forensics realm, and I hope to get into that realm full-time in the future.  How that will happen remains to be seen.  And, in the DFIR realm, I'm looking to focus more on one aspect.  The DFIR space has been expanding over the last couple of years, there is so much more to do than there used I'm looking for something to get more specialized.  I like timeline analysis, I log log analysis; but there are other areas that while I'm not the most proficient in them, it's something I'd like to try.  So, as the new year progresses I'll try to update where I'm going.

May you realize your hopes and dreams in the new year....and you're not spending all of your time fighting the bad guys.