Sabtu, 24 Desember 2011

Tutorial Geek wishes you a Merry Christmas!

I want to wish everyone a Merry Christmas! I love this time of year and hope that everyone is finding joy and happiness!

On my personal blog, I just wrote about the true meaning of Christmas from a different perspective (in China). You can read it here if you would like.

Minggu, 18 Desember 2011

One liners for retrieving Windows TCP/IP and IP Address information

One liners for retrieving Windows IP Address information from Powershell v3.0:
  • gwmi -class Win32_NetworkAdapterConfiguration | % {if ($_.IPAddress -ne $null) {$input}}
  • gwmi -class Win32_NetworkAdapterConfiguration | % {if ($_.IPAddress -ne $null) {$input}} | fl *
  • gwmi -class Win32_NetworkAdapterConfiguration | % {if ($_.IPAddress -ne $null) {$input | Select -ea 0 IP,DHCP,DNS,WINS}}
  • gwmi -class Win32_NetworkAdapter |  % {If ($_.NetEnabled) {$input | Select Caption, Name, Speed, TimeOflastReset,Net*}}
  • gwmi -class Win32_NetworkAdapterConfiguration | % {If ($_.IPAddress -ne $null) {write "$($_.caption) $($_.IPAddress) $($_.SettingID)"}}
  • gwmi -class Win32_PerfRawData_Tcpip_NetworkInterface | % {if ($_.BytesReceivedPersec -ne 0) {write "$($_.Name) $($_.BytesReceivedPersec) $($_.BytesSentPersec)"} }
and a function for retrieve 'PropertySets' of IP information for a list of computers; provided that you can make remote Powershell connectivity work:


function Global:Show-IPinfo {
[CmdletBinding()]
    Param(
        [Parameter(ValueFromPipeline=$true)]
        [array]$HostList=@("localhost"),
[array]$PropertySets=@("IP","DHCP","DNS")
)
$HostList | % {

$HostIP=gwmi -computer $input -class Win32_NetworkAdapterConfiguration | 
% {if ($_.IPAddress -ne $null) {$input}}

$PropertySets | 
% {foreach ($i in ($HostIP.$input).ReferencedPropertyNames) {write "$($i) : $($HostIP.$i)"}}

}
}

Kamis, 15 Desember 2011

One of the many reasons I love Google




This is a picture of my bathroom here in China. Nothing special really (other than the fact that I moved into a really nasty apartment with a nasty bathroom). Nothing special I thought.
This is why Google is so cool.

I recently upgraded Picasa to the newest version. I decided to go through and use Picasa to organize some of my contacts with faces. It was when I was doing this that Picasa brought up this photo for me to tag. My initial response was that Picasa was crazy, but after looking at the smaller thumbnail, I realized it totally does look like a face.


I love you Google. 

Sabtu, 10 Desember 2011

FileVersionInfo Part II

# Powershell v3.0 code
#
Recurses current directory to gather file version information of a boolean property
#
Returns number of Debug,Patched,PreRelease,Private,Special builds
#
Creates csv of those properties in current directory
#
Takes up to three arguments:
#
[mandatory]$filename (e.g. *.dll),$exportflag (e.g. "0" to output csv;default is off), $filetime (default is now)

function Global:Get-fileinfo {
[CmdletBinding()]
Param(
[Parameter(ValueFromPipeline=$true)]
[object]$filename,
[bool]$exportflag=1,
$filetime=[DateTime]::Now.ToFileTime()
)

$Files=ls -Filter $filename -recurse -File
## $Files=ls -ea 0 -Filter $filename -recurse #remove '-File' to create 2.0 code. Add '-ea 0' as desired.

$FileInfo=$Files |
% {[System.Diagnostics.FileVersionInfo]::GetVersionInfo("$(($_.DirectoryName)+"\"+($_.Name))")}


$Global:DebugBuild=$FileInfo | % {if ($_.IsDebug) {$_}}
$Global:PatchedBuild=$FileInfo | % {if ($_.IsPatched) {$_}}
$Global:PrereleaseBuild=$FileInfo | % {if ($_.IsPreRelease) {$_}}
$Global:PrivateBuild=$FileInfo | % {if ($_.IsPrivateBuild) {$_}}
$Global:SpecialBuild=$FileInfo | % {if ($_.IsSpecialBuild) {$_}}

[hashtable]$Global:Report=@{
"DebugBuild" = '$DebugBuild';
"PatchedBuild" = '$PatchedBuild';
"PrereleaseBuild" = '$PrereleaseBuild';
"PrivateBuild" = '$PrivateBuild';
"SpecialBuild" = '$SpecialBuild' }

if ($exportflag -eq 0)
{
[array]$hasharray=foreach ($i in $Report){$i.Values}
foreach ($i in $hasharray) {invoke-expression $($i.trimEnd("$")) | Export-Csv -ea 0 -Path $filetime$i.csv }
}

write "Total files: $(($Files).count)"
write "Marked Debug: $(($DebugBuild).count)"
write "Marked Patched: $(($PatchedBuild).count)"
write "Marked Prerelease: $(($PrereleaseBuild).count)"
write "Marked Private: $(($PrivateBuild).count)"
write "Marked Special: $(($SpecialBuild).count)"
}

FileVersionInfo Part I

Retrieving FileVersionInfo in Powershell involves calling [System.Diagnostics.FileVersionInfo]::GetVersionInfo(). "ls ' or 'Get-childitem' has a scriptproperty named "VersionInfo" that can be used for this:



PS C:\ps1> $a=ls -recurse | % {$_.VersionInfo}


TypeName   : System.IO.FileInfo
Name       : VersionInfo
MemberType : ScriptProperty
Definition : System.Object VersionInfo {get=[System.Diagnostics.FileVersionInfo]::GetVersionInfo($this.FullName);}


System.Diagnostics.FileVersionInfo contains five boolean properties for Debug,Patched,PreRelease,Private,Special builds:


PS C:\ps1> $a | gm




   TypeName: System.Diagnostics.FileVersionInfo


Name               MemberType Definition
----               ---------- ----------
Equals             Method     bool Equals(System.Object obj)
GetHashCode        Method     int GetHashCode()
GetType            Method     type GetType()
ToString           Method     string ToString()
Comments           Property   System.String Comments {get;}
CompanyName        Property   System.String CompanyName {get;}
FileBuildPart      Property   System.Int32 FileBuildPart {get;}
FileDescription    Property   System.String FileDescription {get;}
FileMajorPart      Property   System.Int32 FileMajorPart {get;}
FileMinorPart      Property   System.Int32 FileMinorPart {get;}
FileName           Property   System.String FileName {get;}
FilePrivatePart    Property   System.Int32 FilePrivatePart {get;}
FileVersion        Property   System.String FileVersion {get;}
InternalName       Property   System.String InternalName {get;}
IsDebug            Property   System.Boolean IsDebug {get;}
IsPatched          Property   System.Boolean IsPatched {get;}
IsPreRelease       Property   System.Boolean IsPreRelease {get;}
IsPrivateBuild     Property   System.Boolean IsPrivateBuild {get;}
IsSpecialBuild     Property   System.Boolean IsSpecialBuild {get;}
Language           Property   System.String Language {get;}
LegalCopyright     Property   System.String LegalCopyright {get;}
LegalTrademarks    Property   System.String LegalTrademarks {get;}
OriginalFilename   Property   System.String OriginalFilename {get;}
PrivateBuild       Property   System.String PrivateBuild {get;}
ProductBuildPart   Property   System.Int32 ProductBuildPart {get;}
ProductMajorPart   Property   System.Int32 ProductMajorPart {get;}
ProductMinorPart   Property   System.Int32 ProductMinorPart {get;}
ProductName        Property   System.String ProductName {get;}
ProductPrivatePart Property   System.Int32 ProductPrivatePart {get;}
ProductVersion     Property   System.String ProductVersion {get;}
SpecialBuild       Property   System.String SpecialBuild {get;}


We can select for these booleans easy enough:


PS C:\ps1> $a | Select Filename,Is* | fl *| more
{ls -recurse | % {$_.VersionInfo} | Select Filename,Is* | fl *| more}


FileName       : C:\ps1\CTPv3\app.config
IsDebug        : False
IsPatched      : False
IsPrivateBuild : False
IsPreRelease   : False
IsSpecialBuild : False


FileName       : C:\ps1\CTPv3\AssemblyInfo.cs
IsDebug        : False
IsPatched      : False
IsPrivateBuild : False
IsPreRelease   : False
IsSpecialBuild : False


...



Selasa, 06 Desember 2011

Mandiant Webinar Wednesday; Help Us Break a Record!

I'm back for the last Mandiant Webinar of the year, titled State of the Hack: It's The End of The Year As We Know It - 2011. And you know what? We feel fine! That's right, join Kris Harms and me Wednesday at 2 pm eastern as we discuss our reactions to noteworthy security stories from 2011.

Register now and help Kris and me beat the attendee count from last month's record-setting Webinar.

If you have questions about and during the Webinar, you can always send them via Twitter to @mandiant and use the hashtag m_soh.

Tripwire Names Bejtlich #1 of "Top 25 Influencers in Security"

I've been listed in other "top whatever" security lists a few times in my career, but appearing in Tripwire's Top 25 Influencers in Security You Should Be Following today is pretty cool! Tripwire is one of those technologies and companies that everyone should know. It's almost like the "Xerox" of security because so many people equate the idea of change monitoring with Tripwire. So, I was happy to see my twitter.com/taosecurity feed and the taosecurity.blogspot.com blog make their cut.

David Spark asked for my "security tip for 2012," which I listed as:

Improve your incident detection and response program by answering two critical questions:

1. How many systems have been compromised in any given time period; and

2. How much time elapsed between incident identification and containment for each system?

Use the answers to improve and guide your overall security program.


Those of you on the securitymetrics mailing list, and a few other places, have heard me speaking about this topic. I'll probably blog about it in the future, but suffice it to say that those are the key issues you should address in 2012 in my opinion.

Senin, 05 Desember 2011

Become a Hunter

Earlier this year SearchSecurity and TechTarget published a July-August 2011 issue (.pdf) with a focus on targeted threats. Prior to joining Mandiant as CSO I wrote an article for that issue called "Become a Hunter":

IT’S NATURAL FOR members of a technology-centric industry to see technology as the solution to security problems. In a field dominated by engineers, one can often perceive engineering methods as the answer to threats that try to steal, manipulate, or degrade information resources. Unfortunately, threats do not behave like forces of nature. No equation can govern a threat’s behavior, and threats routinely innovate in order to evade and disrupt defensive measures.

Security and IT managers are slowly realizing that technology-centric defense is too easily defeated by threats of all types. Some modern defensive tools and techniques are effective against a subset of threats, but security pros in the trenches consider
the “self-defending network” concept to be marketing at best and counter-productive at worst. If technology and engineering aren’t the answer to security’s woes, then what is?


Download and read my article starting on page 19 for the answer! July-August 2011 issue (.pdf)