Muxing AccessControl and FileInfo objects

Most of us know the members (partially printed at bottom) of System.Security.AccessControl and System.IO.FileInfo. And most of us know they both share the PS* NoteProperty items:PSChildName                     NoteProperty   System.String PSChildName=test.txtPSDrive                         NoteProperty   System.Management.Automation.PSDriveInfo...

Read More

TaoSecurity Security Effectiveness Model

After my last few Tweets as @taosecurity on threat-centric vs vulnerability-centric security, I sketched this diagram to help explain my thinking.Security consists of three areas of interest: 1) What defenders think should be defended, whether or not it matters to the adversary or whether it is in reality defended, what I label "Defensive Plan"; 2) What the adversary thinks matters and really should be defended, but might not be, what I label as...

Read More

TCP/IP Weapons School 3.0 in McLean, VA 26-27 Oct

I just created a class page for my upcoming TCP/IP Weapons School 3.0 in McLean, VA on 26-27 October 2011. I decided to offer this class because I haven't taught anything nearby in quite a while, and many people asked for a class in NoVA. I don't plan to offer this sort of "solo" (i.e., outside Black Hat) class again (or anytime soon). So, if you're in the neighborhood and you'd like to attend a TWS3 class, this could be your chance! The venue...

Read More

New-Object -ComObject Shell.Application

Here are some notes on exposing  the Shell as a ComObject with Powershell. Here, I trace down the cookies folder:$a = New-Object -ComObject Shell.Application$b=1..100 foreach ($i in $b) {write "$i $($a | % {$_.Namespace($i).Self.Path})"}....32 C:\Users\rferrisx\AppData\Local\Microsoft\Windows\Temporary Internet Files33 C:\Users\rferrisx\AppData\Roaming\Microsoft\Windows\Cookies34 C:\Users\rferrisx\AppData\Local\Microsoft\Windows\History...($a | % {ls -recurse $_.Namespace(33).Self.Path }).count2385($a | % {ls -recurse $_.Namespace(33).Self.Path...

Read More

Tutorial Geek is moving to China!

So I am in the San Francisco airport right now waiting to board a plane for China. This could mean that Tutorial Geek will be blocked by the great firewall of China for the next year, or it could be that my next few tutorials are how to get past that. Perhaps there will be some Chinese posts coming up in the near futu...

Read More

Jaime Metzl Describes "China's Threat to World Order"

Props to LS for pointing me to this WSJ article titled China's Threat to World Order. I found the following pertinent for the "cyber" aspect:Allegations that the Chinese government is behind the largest computer hacking operation in history will not come as a surprise to observers of recent trends in international relations. If there is one thing that China's actions across a range of fields have made clear, it is that Beijing will do whatever it...

Read More

Expect to Hear "IDS Is Dead" (Again)

Do you remember when IDS was dead, and supposed to be replaced by "thought-leading firewalls" by 2005?Well, that prediction died pretty quickly. However, I expect to hear it again after reading DIB cybersecurity pilot has stopped 'hundreds' of intrusions, says Lynn:About 20 companies participate in the Defense Department's 90-day pilot for an active network defense capability for the defense industrial base analogous to the Homeland Security Department's...

Read More

Bejtlich Leading Session at IANS

The IANS group just posted their fall forum announcement. It states I will be leading a session on the APT at their event in Boston on 20 September 2011.Kicking off the morning will be Richard’s session on “Mitigating the Advanced Persistent Threat.” IANS continually hears from our clients that APT and cyber crime is a constant, nagging concern (if not for their own company… yet, then because of headline news read by company executives), and it...

Read More

Check Out MANDIANT Job Postings

If you visit www.mandiant.com/hireme you'll notice MANDIANT is looking to hire a ton of people over the next few weeks and months. We have openings all over the company, including my MCIRT business line. Basically if you're the go-to person in your organization for coding, doing, or supporting incident detection and response tools and/or techniques, you will probably find an interesting job here!The easiest way to start the process is to pick a...

Read More

Tao of NSM Errata and Possible Book Plans

Recently an astute reader, Greg Back, submitted three corrections for typos to my first book, The Tao of Network Security Monitoring. I just uploaded these to the errata page and will submit them to the publisher now. Thanks to Greg for so closely reading the text and catching the errors! They involved miscounting bytes in two packets, and saying bytes where I should have said bits elsewhere.On a related note, I'm considering reviewing my material...

Read More

Bejtlich Webinar for Dark Reading and InformationWeek

Thanks to Dark Reading and InformationWeek I will participate in the How Security Breaches Happen online virtual event on 25 August 2011. At 1330 ET I present with Nicholas J. Percoco and Kelly Jackson Higgins on "Why Bad Breaches Happen To Good Companies."I will share the enterprise/CSO perspective while Nicholas will present the adversary simulation/pen tester perspective. Kelly will moderate. Lots of other speakers will participate from 1030...

Read More

Bejtlich Keynote at Hawaiian Telcom Conference

Thanks to Hawaiian Telcom I will be speaking at their 2011 Security Conference in Honolulu on 7 September 2011. My topic is "Putting the A, P, and T into the Advanced Persistent Threat:"Advanced Persistent Threat, or APT, is a controversial term. Just what qualifies as the APT? Who invented this term? Is it a marketing vehicle or is there a method to its use? In this keynote, Mandiant CSO Richard Bejtlich will explain the history of the APT,...

Read More

Feedback from Latest TCP/IP Weapons School 3.0 Class

At Black Hat in Las Vegas and USENIX Security in San Francisco I taught three TCP/IP Weapons School 3.0 classes. I think my weekday class at Black Hat set a personal record student count, and I was glad to have Steve Andres from Special Ops Security there to help students with questions and lab issues!I wanted to share some feedback from the classes, in case any of you are considering attending an upcoming class. Currently I'm scheduled to teach...

Read More

Impressions: Android Forensics

My final book in this batch is Android Forensics by Andrew Hoog. Due to the nature of Android and the author's experience with it, this book has a lot of great content. (In contrast, on page xiii, the author thanks iPhone and iOS Forensics co-author Katie Strzempka "for generally taking care of that other book." Hmm, maybe I should have known that before trying to assess that "other book?")My only real concern with this book is that it might lack...

Read More

Impressions: iPhone and iOS Forensics

The third forensics book in this batch is iPhone and iOS Forensics (IAIF) by Andrew Hoog and Katie Strzempka. This book is similar to iOS Forensic Analysis: for iPhone, iPad, and iPod touch by Sean Morrissey, in the sense that neither book is as strong as I might have hoped. Oddly enough, the aspects of Morrissey's book that were most compelling (like his overview of the various i-devices and attention to each of them) are weaker in IAIF. I found...

Read More

Impressions: XBox 360 Forensics

Next is Xbox 360 Forensics (X3F) by Steven Bolt. This book offers a lot of technical detail, but it seems to read more like a coroner's report than a guide for those doing forensics on the Xbox 360 platform. The author spends a lot of time documenting his analysis of the Xbox 360, but after perusing the book I took myself out of the role of scientist and into that of investigator. An investigator (such as a law enforcement person) is likely to...

Read More

Impressions: Digital Forensics with Open Source Tools

For my fourth impressions post, I'll turn to the digital forensics world for Digital Forensics with Open Source Tools (DFWOST) by Cory Altheide and Harlan Carvey. I took a lot of notes but didn't read closely enough in my opinion to merit a full review.I didn't like the way this book started. I can't tell if the authors expect the reader to be familiar with open source software or not. The book needed to start in chapter 2 with something like...

Read More

Impressions: The Shellcoder's Handbook, 2nd Ed

The third book for which I'd like to share my impressions is The Shellcoder's Handbook, 2nd Ed (TSH2E) by Chris Ainley, John Heasman, FX, and Gerardo Richarte. I liked TSH2E, but I could tell that the collaboration among four authors caused some issues that could have been addressed by better editing. For example, early parts of the book use both Intel and AT&T assembly syntax, but the reader doesn't get an explanation of either until chapter...

Read More

Impressions: Reversing: Secrets of Reverse Engineering

I took a lot of notes while reading Reversing: Secrets of Reverse Engineering (RSORE) by Eldad Eilam, but I didn't read enough of the book to qualify in my opinion to write a true review. What I did read, though, was awesome. RSORE is very well written, clear, interesting, and features high production value and quality. Although Wiley published the book in 2005, I believe it's as relevant now as it was six years ago. In fact, I recommend pairing...

Read More

Impressions: The IDA Pro Book, 2nd Ed

What better way to start my new book impressions technique than The IDA Pro Book, 2nd Ed (TIDP2E) by Chris Eagle. I didn't read the entire book because I am not a reverse engineer, nor am I an IDA Pro user. However, I find the field, the tools, and the people who do reverse engineering to be interesting. My overall impression is that TIDP2E is an excellent book. Chris Eagle appears to have written an incredibly detailed and current text on IDA...

Read More

Book Reviews vs Impressions

I've been reading and reviewing technical books at Amazon.com since 1999, and trying to meet reading goals since 2000. Most of you know that I only review books that I read, unlike some of the people who post "reviews" at Amazon.com. I personally don't care to read "reviews" by people who don't read the books. What's the point?However, I believe there is room for commentary on books, where I explicitly state that my reactions are based mainly...

Read More

Sorting Windows events by UserID: Part II (Building a Module)

I am a bit late to some v2.0 functionality.  I made my first attempt at creating a module, in this case a six function script that queries general information from an event log. I ran into at least two problems:(a) get-winevent is slow for high volume queries (b) modules so encapsulate their variables in functions that I could not find how to call all functions globally from an internal or external script.                                       ...

Read More