Vista logon.scr error

Vista, as most of us know, will take a machine out of standby (light sleep), to install the "Tuesday updates". After it reboots, I see this:Logon screen error are traditionally dangerous because they have been used to bypass the logon scre...

Read More

GE-CIRT Joins FIRST

I am pleased to announce that on Friday 19 March the Forum of Incident Response and Security Teams, or FIRST, accepted the General Electric Computer Incident Response Team, GE-CIRT, as a full member. This represents about a year of work for us. I am really proud of our team, especially since we reached initial operational capability on 1 January 2009. I would like to thank James Barlow and Rob Renew for sponsoring our application; Sarah Gori for...

Read More

Bejtlich in April Wired Magazine

The April issue of Wired Magazine features an article by Noah Shachtman titled Security Watch: Beware the NSA’s Geek-Spy Complex. Noah writes:Early this year, the big brains at Google admitted that they had been outsmarted. Along with 33 other companies, the search giant had been the victim of a major hack — an infiltration of international computer networks that even Google couldn’t do a thing about. So the company has reportedly turned to the...

Read More

Bejtlich Returns to PaulDotCom Podcast

The guys at PaulDotCom posted the podcast .mp3 (39 MB) they conducted last week. It was another debate between myself and Ron Gula. We contrast control-centric and threat-centric defensive strategies, as well as discuss advanced persistent threat. Thanks for having us. I had forgotten that I was on their second show in January 20...

Read More

Data Breaches 2010

Below is a list of 171 data breaches identified by public records found by the ID Theft Resource Center for the first two and one half months of 2010. ITRC has a justice department grant to catalog all known data breaches from credible sources. ITRC is a donor sponsored, multi-venue, non-profit working to resolve identity theft.  If you are a public or private sector enterprise of any type - banking, financial services, insurance, University, medical provider, HMO, governmental department, law firm, hotelier, or non-profit - you...

Read More

Ways to Justify Security Programs: 13 Cs

My last post Forget ROI and Risk. Consider Competitive Advantage seems to be attracting some good comments. I thought it might be useful to mention a variety of ways to justify a security program. I don't intend for readers to use all of these, or to even agree. However, you may find a handful that might have traction in your environment.Crisis. Something bad happens. Although this is the worst way to justify a program, it is often very effective.Compliance....

Read More

Forget ROI and Risk. Consider Competitive Advantage

In my last post, Time and Cost to Defend the Town, I mentioned pondering different ways to discuss digital security with a new executive. This business leader reportedly said "every day, our businesses are competing in a global marketplace. How can we help them?" I thought about that statement and one idea came to mind: Digital security helps businesses build competitive advantage.I've decided that competitiveness is the new theme which I will...

Read More

Time and Cost to Defend the Town

Recently I guest-blogged on the importance of learning how another person thinks. This week I had a chance to apply this lesson with a new decision maker. I learned that I need to develop a way for this executive to think about our security program. I discussed the situation with my wife and she suggested focusing on cost. I thought about this a little more and realized that was the right way to approach the problem.Consider the following scenario....

Read More

ipsumdump..

It is easy to be fond of professor Eddie Kohler's ipsumdump.  Take your monthly egress pcap file and filter it through something like this:   for i in `ipsumdump -s --no-headers $1 | sort -n | uniq`        do  echo $i, `./geoip.sh $i | awk '{print $1""$7""$8" "$9""$10""$11}'` done( where geoip.sh is geoiplookup -f /usr/local/share/GeoIP/GeoLiteCity.dat $1 )and what you are quickly returned something like this:10.10.10.2, GeoIPAddressnot found12.129.147.95, GeoIPVA,Ashburn, 20147,39.033501,-77.483803,12.130.131.98,...

Read More

Guest Post on SecureThinking about Cyber Shockwave

BT asked me to write a guest post on their blog, so I provided a new Reaction to Cyber Shockwave. I hadn't really addressed one of the main reasons why I liked Cyber Shockwave, despite the LOL-worthy "technical" aspects of the "simulation," when I wrote my first Reaction to Cyber Shockwave. Please check out the post if you'd like to read more about this. Thank y...

Read More

How the FEDS use social networking...

What type of security risk is social networking? A document obtained by the EFF and posted on Wired's Threat Level blog details how FBI and Secret Service are using social networking sites to obtain information. Here's a sample from the document:  "Overview of Key Social Networking SitesGETTING INFO FROM FACEBOOK Data is organized by user ID or group ID Standard data productions (per LE guide): Neoprint, Photoprint, User Contact Info, Group Contanct Info, IP Logs HOWEVER, Facebook has other data available. Often cooperative...

Read More

Verizon Incident Sharing Framework

Earlier this month Verizon Business announced their Verizon Incident Sharing Framework (VerIS framework). This document is a means to describe digital security incidents, using four main groupings: 1. Demographics, 2. Incident Classification, 3. Discovery and Mitigation, and 4. Impact Classification. The idea is to provide a framework that incident investigators can complete for every digital security incident. Using the output, security teams...

Read More

Bejtlich Keynote at VizSec 2010

I am pleased to report that I've been invited to deliver the keynote at VizSec 2010 on 14 Sep in Ottawa, Ontario. I am on the Program Committee for a third year and will be evaluating papers soon. Please visit my post on calls for papers for DFRWS, VizSec, and RAID. Thank y...

Read More

Bejtlich OWASP Podcast Posted

My appearance on OWASP Podcast 61 is available. The .mp3 is 36 MB. Thanks to Jim Manico for inviting me to participate. We recorded the podcast in late January. Jim asked me the following questions:Would you care to tell us how did you get into IT and what lead you into a career in information security? What keeps you busy these days?What's the difference between focusing on threats vs focusing on vulnerabilities?What is your problem with the...

Read More

Traffic Talk 10 Posted

I just noticed that my tenth edition of Traffic Talk, titled Pcapr.net -- where Web 2.0 meets network packet analysis, has been posted. From the article:Solution provider takeaway: Pcapr.net is a free packet collaboration site hosted by Mu Dynamics. Solution providers can participate in the community to exchange, analyze and gather traces for testing products or processes for their customers, including network packet analysis.Not many networking...

Read More

Einstein 3 Coming to a Private Network Near You?

In my Predictions for 2008 I wrote:Expect greater military involvement in defending private sector networks... The plan calls for the NSA to work with the Department of Homeland Security (DHS) and other federal agencies to monitor such networks to prevent unauthorized intrusion, according to those with knowledge of what is known internally as the "Cyber Initiative."Now in Feds weigh expansion of Internet monitoring we read:Homeland Security and the...

Read More

Making a Point with Pressure Points

Imagine you're a martial arts student. One day you have a guest instructor, accompanied by some of his black belts. They're experts in so-called "pressure point fighting." You've heard a little of this system, whereby practitioners can knock out adversaries with a series of precise strikes that lack the power of a brute-force approach. Until today you've had no direct experience. You may be skeptical, or maybe you believe such techniques are...

Read More

Keeping FreeBSD Applications Up-to-Date in BSD Magazine

The March 2010 BSD Magazine includes an article I wrote titled Keeping FreeBSD Applications Up-to-Date. It's a sequel to my article in the January 2010 BSD Magazine titled Keeping FreeBSD Up-to-Date: OS Essentials. With these two articles published, they replace the versions I wrote in 2005.I wrote these articles to demonstrate the variety of ways a system administrator can keep the FreeBSD operating system and applications up-to-date, with examples...

Read More

Bejtlich Teaching at Black Hat EU and USA 2010

Black Hat was kind enough to invite me back to teach multiple sessions of my 2-day course this year. Next is Black Hat EU 2010 Training on 12-13 April 2010 at Hotel Rey Juan Carlos I in Barcelona, Spain. I will be teaching TCP/IP Weapons School 2.0. Registration is now open. Black Hat has three price points and deadlines for registration remaining.Regular ends 1 AprLate ends 11 AprOnsite starts at the conferenceFinally we have Black Hat USA 2010...

Read More

Bejtlich to Speak at FIRST 2010

I'm happy to report that I will present Building a Fortune 5 CIRT Under Fire at FIRST 2010 on 16 Jun 10 in Miami, FL. I plan to attend the majority of the conference, since it is one of the few focused on incident detection and response. I hope to see you the...

Read More