6th Issue of BSD Magazine

The 6th issue of BSD Magazine is available now. This edition has several great articles. I liked Jan Stedehouder's article on Triple booting Windows 7, Ubuntu 9.04 and PC-BSD 7.1, Christian Brueffer's article on FreeBSD Security Event Auditing, and the Questions and Answer Session of the BSD Certification Group Community with Dru Lavigne and Mikel King. I've been working with the editor at BSD Magazine to publish my articles on keeping FreeBSD...

Read More

Hakin9 Extended Edition in Stores

Hakin9 published an "extended edition" magazine recently. This "best of" issue is 218 pages long and contains a nice selection of past articles. Although the writing isn't as uniformly smooth as one would find in the late, great Sys Admin magazine, I continue to find interesting articles in Hakin9. (By "smooth" I mean that articles written by non-native speakers tend to reflect that English isn't their first language. Hakin9 might consider hiring...

Read More

Security Information and Event Management (SIEM) Position in GE-CIRT

My team just opened a position for a Security Information and Event Management professional. This candidate will report to me in GE-CIRT but take daily direction from our SIM leader and our Lead Incident Handler. We're looking for a technical person who can not only administer our SIM, but also help our team implement our detection and response objectives and use cases in our SIM and related infrastructure. This candidate will sit in our new Advanced...

Read More

Information Security Position in GE Aviation

My colleagues in GE Aviation are looking for a candidate for a client computing architect. The focus will be Microsoft Windows platforms. According to the hiring manager, the following are desired:50% leadership / 50% technical mixStrong leadership, program management, and influence skillsStrong communication skills; the candidate will work with business and Corporate teamsSecurity and technical skills, such as a strong command of Windows features...

Read More

Open Source Vulnerability Disclosure with FreeBSD

The purpose of this post is not to bash Microsoft, but I am going to point out why I prefer relying on open source platforms, especially for sensitive systems. One of the advantages of the open source model is that anyone can identify and evaluate changes. This is especially true of open source projects like FreeBSD. Let's look at a recent security advisory in ntpd to demonstrate what I mean.-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA1=============================================================================FreeBSD-SA-09:11.ntpd...

Read More

Microsoft Updates MS09-048 to Show XP Vulnerable to 2 of 3 CVEs

Microsoft published a Major Revision of MS09-048 to show that Windows XP Service Pack 2 and Windows XP Service Pack 3* are now Affected Software. This is an important development. It is significant to acknowledge that an operating system is vulnerable despite the potential to add a countermeasure. In other words, countermeasures do not remove vulnerabilities.The company also updated the FAQ:If Windows XP is listed as an affected product, why is...

Read More

MS09-048 on Windows XP: Too Hard to Fix

This is a follow-up to MS09-048 is Microsoft's Revenge Against XP in the Enterprise. Everyone is talking about how Windows 2000 will not receive a patch for MS09-048:If Microsoft Windows 2000 Service Pack 4 is listed as an affected product, why is Microsoft not issuing an update for it?The architecture to properly support TCP/IP protection does not exist on Microsoft Windows 2000 systems, making it infeasible to build the fix for Microsoft Windows...

Read More

MS09-048 is Microsoft's Revenge Against XP in the Enterprise

MS09-048 worries me. Non-Affected SoftwareOperating SystemWindows XP Service Pack 2 and Windows XP Service Pack 3*How are default configurations of Windows XP not affected by this vulnerability?By default, Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2 do not have a listening service configured in the client firewall and are therefore not affected by this vulnerability. For the denial...

Read More

The Network Monitor API: Part II

The LoadCapAndFilter example from Network Monitor Examples from Codeplex allows you to specify a particular filter from Network Monitor API. Some fragments from the code are below. Note how the string is escaped (e.g. \"GET\") :[LoadCapAndFilter.cpp]/Add filterret = NmAddFilter(myFrameParserConfig, L"http.request.command == \"GET\"", &myHTTPFilterID);...//Add fieldret = NmAddField(myFrameParserConfig, L"http.request.uri", &myHTTPFieldID);....// Obtain the value of http.request.uri from frame. We// know that strings are passed as word pointer...

Read More

Review of Windows Forensic Analysis 2nd Ed Posted

Amazon.com just published my five star review of Windows Forensic Analysis, 2nd Ed by Harlan Carvey. From the review:I read and reviewed the 1st Ed of this book in July 2007, and I just finished reading Windows Forensic Analysis 2nd Ed (WFA2E) this weekend. If your job involves investigating Windows systems, you must read this book. It's as simple as that. There is no substitute for this book. It also perfectly complements other solid forensics...

Read More

Bejtlich Speaking at Information Security Summit

My boss Grady Summers, GE CISO, and I will be presenting one of the keynotes at the Information Security Summit, 29-30 October, in Warrensville Heights, Ohio. Our topic is "CISO + CIRT = Success." In 2007, the CISO of General Electric decided to invest in a dedicated program to detect and respond to intrusions, as a centralized, global function within GE. Since then, GE has built a Computer Incident Response Team (CIRT), deployed dozens of sensors...

Read More

Bejtlich Speaking at DojoCon

I will be presenting one of the keynotes at DojoCon, 6-7 November in Maryland. This should be a good event. Follow @dojocon for updates. Marcus Carey is organizing ...

Read More

Extreme Asymmetry in Network Attack and Defense

As usual, Gunter Ollmann posted a great story on the Damballa blog titled Want to rent an 80-120k DDoS Botnet? He writes:[T]his particular operator is offering a botnet of between 80k and 120k hosts capable of launching DDoS attacks of 10-100Gbps – which is more than enough to take out practically any popular site on the Internet. The price for this service? $200 per 24 hours – oh, and there’s a 3 minute try-before-you-buy.Someone please tell me...

Read More

Registration for VizSec 2009 Open

The program for VizSec 09 has been posted. It looks like a great event. I served on the program committee. Bill Cheswick's keynote looks excellent. I'm not sure if I will be attending or not, but check it out if you're looking for ways to integrate visualization into your security operations. I am most interested in 1) handling large data sets and 2) visualizing something other than layer 3 and 4 informati...

Read More

The NetworkMonitor API: Part I

I've spent the last three weeks building the Network Monitor Examples from Codeplex: http://nmexperts.codeplex.com/Release/ProjectReleases.aspx?ReleaseId=27988. Sniffers have been pretty black box to me before this project. I was prompted to do this because Network Monitor 3.3 on 64 bit systems doesn't produce captures that can be analyzed by logparser.exe. This is good and bad. Logparser only dumped out 20 fields from netmon *.cap files. Despite the struggle, it was worth installing the latest versions (VS2008, VS2009 Express ), configuring...

Read More