Digital Forensics Magazine

I just learned of a new resource for digital forensics practitioners -- Digital Forensics Magazine. They just published their third issue. This appears to be a high quality publication with authors like Mark D. Rasch (The Fourth Amendment: Cybersearches, Particularity and Computer Forensics), Solera's Steve Shillingford (It's Not About Prevention), and others. Check it o...

Read More

Comments on Sharkfest Presentation Materials

I saw that presentations from Sharkfest 2010 are now posted. This is the third year that CACE Technologies has organized this conference. I've had conflicts each of the last three years, but I think I need to reserve the dates for 2011 when they are available. In this post I wanted to mention a few slides that looked interesting.Jasper Bongertz presented Wireshark vs the Cloud (.pdf) I reviewed this presentation to see if anyone is doing something...

Read More

Dealing with Security Instrumentation Failures

I noticed three interesting blog posts that address security instrumentation failures.First, security software developer Charles Smutz posted Flushing Out Leaky Taps:How many packets does your tapping infrastructure drop before ever reaching your network monitoring devices? How do you know?I’ve seen too many environments where tapping problems have caused network monitoring tools to provide incorrect or incomplete results. Often these issues last...

Read More

CloudShark, Another Packet Repository in the Cloud

I've been interested in online packet tools for several years, dating back to my idea for OpenPacket.org, then continuing with Mu Dynamics' cool site Pcapr.net, which I profiled in Traffic Talk 10. Yesterday I learned of CloudShark, which looks remarkably similar to Wireshark but appears as a Web application. I generated the picture at right by downloading a trace showing FTP traffic from pcapr.net, then uploading it to CloudShark. Apparently CloudShark...

Read More

All Aboard the NSM Train?

It was with some small amusement that I read the following two press releases recently:First, from May, NetWitness® and ArcSight Partner to Provide Increased Network Visibility:NetWitness, the world leader in advanced threat detection and real-time network forensics, announced certification by ArcSight (NASD: ARST) of compliance with its Common Event Format (CEF) standard. ArcSight CEF certification ensures seamless interoperability and support between...

Read More

Mike Cloppert on Defining APT Campaigns

Please stop what you're doing and read Mike Cloppert's latest post Security Intelligence: Defining APT Campaigns. Besides very clearly and concisely explaining how to think about APT activity, Mike includes some original Tufte-esque figures to demonstrate APT attribution and moving up the kill cha...

Read More

Full Disclosure for Attacker Tools

The idea of finding vulnerabilities in tools used by attackers is not new. It's part of the larger question of aggressive network self defense that I first discussed here in 2005 when reviewing a book of that title. (The topic stretches back to 2002 and before, before this blog was born.) If you follow my blog's offense label you'll see other posts, such as More Aggressive Network Self Defense that links to an article describing Joel Eriksson's...

Read More

Argus!!!

I have been reading Real Digital Forensics and came across the recommended use of Argus ("Audit Record Generation and Utilization System"). Argus is fast, wide and deep network analysis of pcap files.  It took me some time to compile and start to make sense of it, although there is a relevant and clever wiki page and a good collection of recent articles explaining research, university and real world use. My discussion below concerns Argus auditing functionality.Argus dumps your pcap file into a compressed argus formatted file which carries...

Read More

Can Someone Do the Afghanistan Math?

I'm sure most of you have read the NY Times story U.S. Identifies Vast Mineral Riches in Afghanistan:The United States has discovered nearly $1 trillion in untapped mineral deposits in Afghanistan, far beyond any previously known reserves and enough to fundamentally alter the Afghan economy and perhaps the Afghan war itself, according to senior American government officials...Instead of bringing peace, the newfound mineral wealth could lead the Taliban to battle even more fiercely to regain control of the country...The mineral deposits are scattered...

Read More

the 'find' command for security...Part I

These are some meditations on using the *NIX 'find' command for security...These are very quick ways of find the 'last access' on every file. 'Stat -x' is for OpenBSD. The grep 'file' contains:File:Access:for i in `find /`; do echo $i `stat -x $i | grep "Access"`;donefind  / | xargs stat -x | grep -f file | tr -d "[\042]"On Linux or Cygwin:for i in `find /cygdrive/C/Security`; do echo $i `stat $i | grep "Access" | grep -v Gid`;done/cygdrive/C/Security Access: 2010-06-14 15:58:04.293000000 -0700 /cygdrive/C/Security/.ImplementingSecurityDuringWebDesign.txt.swp...

Read More

Light Bulbs Slowly Illuminating at NASA?

I've seen a few glimmers of hope appearing in the .gov space recently, so I wanted to note them here.Linda Cureton in her NASA CIO blog said:We have struggled in the area of cyber security because of our belief that we are able to obtain this ideal state called – secure. This belief leads us to think for example, that simply by implementing policies we will generate the appropriate actions by users of technology and will have as a result a secure...

Read More

NITRD: "You're going the wrong way!"

If you remember the great 1980's movie "Planes, Trains, and Automobiles" the title of this post will make sense. When Steve Martin and John Candy are driving down the wrong side of the highway, another motorist yells "You're going the wrong way!" They deluded pair reply "How do they know where we're going?"I am starting to feel like the motorist yelling "You're going the wrong way!" and I'm telling Federal research efforts like the Federal Networking...

Read More

June 2010 Hakin9 Magazine Published

The new June 2010 Hakin9 has been published in .pdf form. It looks like they replaced the registration-based download with a link straight to the .pdf -- nice. The article Testing Flash Memory Forensic Tools – part two looks interesting, and I always like reading whatever Matt Jonkman writes. Check it out -- it's fr...

Read More

"Untrained" or Uncertified IT Workers Are Not the Primary Security Problem

There's a widespread myth damaging digital security policy making. As with most security myths it certainly seems "true," until you spend some time outside the policy making world and think at the level where real IT gets done. The myth is this: "If we just had a better trained and more professional IT corps, digital security would improve."This myth is the core of the story White House Commission Debates Certification Requirements For Cybersecurity...

Read More

Publicly Traded Companies Read This Blog

I think some publicly traded companies read this blog! Ok, maybe I'm dreaming, but consider the story After Google hack, warnings pop up in SEC filings by Robert McMillan:Five months after Google was hit by hackers looking to steal its secrets, technology companies are increasingly warning their shareholders that they may be materially affected by hacking attempts designed to take valuable intellectual property.In the past few months Google, Intel,...

Read More

Simple Questions, Difficult Answers

Recently I had a discussion with one of the CISOs in my company. He asked a simple question: "Can you tell me when something bad happens to any of my 100 servers?"That's a very reasonable question. Don't get hung up on the wording. If it makes you feel better, replace "something bad happens to" with "an intruder compromises," or any other wording that conveys the question in a way you like.It's a simple question, but the answer is surprisingly...

Read More

Reminder for Incident Responders

I found this post [Dailydave] How to pull a dinosaur out of a hat in 2010 by Dave Aitel to contain two warnings for incident responders:I do know that reliably owning Wireshark on Windows 7 is priceless.andSo many otherwise very cautious people don't realize that RDP is like giving your passwords away to the remote machine. So we had to write a trojan that stole the passwords as people RDP'd in and we installed it for demos on various client sites.The...

Read More

time stamping windows directory and file names

This is something I have blogged about before, but I thought it worth posting again.  Special characters need to be eliminated to create a time stamp that can be used as a Windows file name. The `date` program in Unix has a number of very useful options for this.  Windows cmd shell is more limited. This is what I use::: rtime.cmd@echo offset realdate=%date:/=.%set realdate=%realdate:* =%set realtime=%time::=.%set realtime=%realtime:* =%set timestamp=%realdate%.%realtime%echo %timestamp%This command script uses 'variable substitution'...

Read More