Friday, December 23, 2005

Gearing up for the holidays!

That topic can certainly mean multiple things like, "I am simply getting ready for Christmas" or "I am gathering all my geeky electronics so I can stay connected while out of town" or "I am hoping to get a iPod Video for Christmas." When I started writing it, I was just referring to getting all of our stuff together, but there is a lot of geek stuff that I tend to take with me...PowerBook, iPod, Treo 650, CDs/DVDs and some piece of hardware I am messing around with like a firewall, router, external hard drive or sometimes even a full blown PC. This year will not be overpacked. I have an article to start working on ASAP which will be done on my PowerBook with Virtual PC while listening to my iPod.

Enough of my is the Friday before Christmas and campus is dead. Time to go home and work from the comfort of my couch.

Merry Christmas!

Tuesday, December 20, 2005

Podcasts I Listen To...

I was planning on getting this list out last week but never bothered to sit in front of my desktop to look at the iTunes podcast subscriptions since I post to my blog from my PowerBook. So, here it goes. They are in alphabetical order thanks to iTunes. I will post my opinions and descriptions with each one. Note: This list and the links took quite a while to put together. I hope you find it useful. Disregard misspellings and such because it is late!

  • A Day in the Life of an Information Security Investigator
    • This is a fun and informative listen. It is based on the Chief's blog. The Chief, aka Security Monkey, talks about his cases as a security investigator, answers questions from his monkey (blog readers) and allows his right-hand man, Scrap, to rant. Definitely one of my favorites.
  • Ancestor
    • This is a podcast novel by Scott Sigler who releases a new chapter/episode every week. Another one of my top favorites. I really look forward to listening every Mon as the story unfolds. If don't mind some blood, gore and explicit language, check it out!
  • Blue Box: The VoIP Security Podcast
    • I had to catch up as I came into listening around the 8th episode. It is a good podcast about VoIP issues, current trends, new products and topics from the VOIPSA mailing list.
  • Diggnation
    • I enjoy just about every episode. I find myself laughing out loud to while walking around campus or having lunch in the breakroom. Kevin and Alex talk about the top "dug" stories from the site They provide adolescent humor the entire time making me wonder why I like it so much, but I think it just reinforces why I like it so darn much. The comic relief makes it one of my top favorites.
  • EarthCore: A Podcast Novel
    • This is the first podcast novel ever and Scott Sigler did a great job. I was always looking forward to the new episodes. It has ended and even become published because of the huge fan base. You can catch up on all the episodes as they are still online. This ranks in my top favorites. Plenty of blood, gore and explicit language.
  • ITC: Security
    • I keep this in my iTunes list in hopes that good stuff will come around again. There have been three really good ones that I have saved and sometimes relisten too. Most suck. The chick who runs the "security university," or whatever it is called, is a moron and conducts awful interviews. Check out the ones with Ron Gula and Dan Geer. I also have Bruce Schneier's in my list under ITC but can't remember if it was really that good.
  • Martin McKeay
    • Martin is a CISSP with a pretty good blog. He is focused quite a bit on the Payment Card Industry (PCI) regulations and has some good insight into it. I enjoy his blog and podcast but wish he would fix it so I could subscribe via iTunes. As he gets more into podcasting and decides more on a structure for the shows, I could see this as possibly becoming a favorite.
  • Mighty Seek: WebAppSecurity
    • There have only been a handful of episodes but they were pretty good regarding web application security. The host gets on his soapbox a bit but he has intelligent arguments. I hope to hear more good stuff from this one.
    • I started listening to a couple of these after I had begun downloading them for my wife. At the time, she was pregnant and I was able to use some of the things I learned from the podcast to immediately help her through the pregnancy. It has been a couple of months since I listened to any of them but keep them around for her and the chance I might be interested again.
  • Network Computing | Security Channel
    • I subscribed to this because it is done by a friend of mine. I have only listened to about 4-5 of them and enjoyed a couple. The ones that include interviews are usually the best ones. If you are of limited time and get bored easily, you might want to pass over this one. I do expect it to get better, but it isn't there yet.
  • NotParanoia Podcasts
    • I'm not sure I have made it through a full episode yet. The hosts are in Australia and England making the sound quality pretty shoddy. I keep it in my list so that one day I will go back and give it another chance. Maybe the newer ones have gotten better. YMMV.
  • NPR: 7AM ET News Summary
    • I am not a world news, or even a local news, nut. If the news doesn't come in a security related e-mail, I don't usually know about it. This is my weak attempt at knowing what is going on in the world.
  • PaulDotCom Security Weekly
    • This is a pretty decent podcast. I do get a little tired of the guys rehashing current security issues but it is fun to listen to their ideas. They tend to be goofy when referring to putting on their White/Gray/Black hats when discussing issues but I have hope that they will continue to refine their podcast.
  • SABAGsecurity
    • This is by two guys that work for McAfee. It is pretty good. They don't evangelize their products as much as you might think. McAfee product coverage is minimal with only talking about new releases or bugs. The rest of the time is spent on a topic of the week or month and current "notable" vulnerabilities. Not a favorite but it has potential.
  • Security Catalyst
    • This is a great podcast. Michael is a Lead CISSP Instructor who speaks and trains professionally. He has good insight into security topics, does not focus on current issues (thankfully) and has grand plans for his podcast. He is currently looking for a co-host and has an "editorial board" to help plan the episodes. Michael certainly puts a lot of time and effort into his podcast. I enjoy this one quite a bit and expect it to become a top favorite.
  • Security Now!
    • Ugh...I'm not sure why I keep this around. Steve Gibson is a smart guy but sometimes sounds like he needs to switch to decaf cause he gets talking so fast that he says the wrong thing. Now, I am sure it is simply because he is overexcited and confuses himself. But then again, maybe the fact the Leo Laporte is a computer security ID10T. Seriously, Leo is security stupid. It hurts me to listen sometimes. I don't think I have ever listened to a full episode out of boredom or disgust. I think I just keep it around for pure masochistic joy.
  • Systm
    • This is a video podcast that I have only watched one episode but plan on going back and watching. I have an iPod Photo so watching it requires me to sit in front of my desktop, which I don't do much anymore since thanks to my PowerBook. This one has some definite potential as long as Kevin Rose doesn't try to act too much like a "hacker."

Monday, December 19, 2005

Helix 1.7 is out!

Did you get the message? Neither did I. Helix is an awesome Linux bootable CD for incident response and forensics. On top of being a great bootable CD, it has an excellent Windows incident response side to it. Sort of a Dr Jekyll Mr Hyde type of thing. It is bizarre to me that such a nice update didn't get any fanfare. The Helix site doesn't even state that 1.7 is available. The forum mentions it and the changelog is updated but the page doesn't state the version or an updated file hash.

Some of the highlights of the update include Linux and Windows features. Some of the Linux updates include a 2.6.14 kernel, updated tools like Autopsy, Sleuthkit, Firefox, dcfldd, and new tools like the EnCase Linen Utility, tcpxtract and hfsplus for Mac drives. For Windows, a new GUI, log files saved in PDF, updated tools like WFT, FRED. and new tools such as IRCR, Forensic Server Project and FTK Imager.

Definitely check out Helix when you have time. It is worth your time if you do any sort of Incident Response or Forensics. One beef I have with Helix is the GUI under Windows. I posted a message in the forum to see if Drew would modify Helix's behavior to open a CMD prompt first and then let the user choose to run the GUI if they want. Why? The GUI loads into RAM and could potentially overwrite important evidence. I recommend going straight to a CMD, provide some scripts for imaging memory and local drives and then let users go into a GUI for more in-depth analysis...but that is just my 2 cents. Take for a spin and decide for yourself.

Friday, December 16, 2005

Knowing what's on your box...

Do you know what is running on your boxes? Really...are you sure? I was handling an incident today where a machine was compromised through a unnamed database running that was part of a terminal server application. The whole time I am investigating the compromise I was wondering if they knew the DB was running, and if so, did they think about whether or not it needed to be externally accessible and did they think that maybe it would need to be updated. Heck, maybe they thought the vendor who was using the DB would be responsible and provide updates to it. Beats me. As an incident handler, I don't always get my hands on the boxen that get 0wN3d. I get to provide the network forensic data proving it was compromised so that the system administrator can deal with it appropriately.

On a related note, the first alpha release of Metasploit was released yesterday. It is now based on the Ruby programming language which a friend of mine referred to as being as simple as writing pseudocode. I plan on checking it out as it may be applicable the the private hacking challenge I am working on. The whole point of this paragraph is that I was wondering if the release might have be why we saw the DB get exploited today. I haven't bothered checking all the new sploitz included in the the alpha release, but I can tell you that last year's big release caused a two immediate compromises of servers running the Veritas Backup Exec agent.

That's enough for now. I have to run home to get ready for a party that is an hour and a half away. I know I promised my lists of podcasts today but that will either have to wait until after the party or maybe later this weekend. TGIF!

Thursday, December 15, 2005

When to rebuild...

We have this little section in our policy that states a system must be rebuilt after it is compromised. In some situations, the rebuild will be at the discretion of the Information Security Manager. Unfortunately, system administrators like to argue about this or simply ignore it when it comes to malware. I have seen computer support technicians work on a spyware/adware infected box for THREE DAYS before finally giving up and rebuilding. Get a freaking clue people!!! The box could have been rebuilt using Ghost, Microsoft ADS or favorite imaging app in 20 to 60 minutes, yet you wasted 3 days. Holy crap! I seriously wanted to smack some of these people. There are some malware infections that are very simple to alleviate, but others are a real pain and most help desk people are not trained to deal with these types of things. I truly amazes me. I have had things handed to me that were not able to be "cleaned" by the help desk that I solved in 5-10 minutes yet spent the next 30 minutes verifying that it wasn't something more sinister. Rootkits are becoming more prevalent and more malware is using a "rootkit" driver to hide their processes so why not make it easy on yourselves. Spend some time developing a process where you can burn your systems down to a wiped disk, apply and image or slipstreamed OS/app install and be done with it.

Geez...enough ranting. I need to work on my list of updated tools to put on this site but that probably won't happen until next week. I will have my podcast listing up tomorrow.

Wednesday, December 14, 2005

Crime Scene: What to do with a running system?

Are there any forensic specialists out there that analyze a machine while it is running at the crime scene before pulling the power? Why I am asking? I was sitting in a presentation this morning by a law enforcement officer who is said to be a court certified computer forensic expert. He stated that a machine should have its power cord unplugged upon seizure. Someone asked about dumping memory and his response was that it was saved in swap space and will be intact. I don't want to get into why this is not true, but I am curious how many people do live analysis before taking down a system. There is lots of juicy info available in memory and will be lost as soon as power is gone. Of course, if you have an idiot in front of the keyboard, more harm than good can be done. For a trained forensic specialist, I think they could get important information from the live system, document EXACTLY what they did and it hold up in court. Any thoughts??

Tuesday, December 13, 2005

CISSP - To Be or Not To Be...

I am seriously considering getting the CISSP. Why? Well, I almost feel like I am missing something by not having it. One of my good friends, whom I respect as a security professional, has had it for a couple of years. There are also two podcasts that I listen to regularly and both individuals are CISSP's. The content of the podcasts are excellent. Specifically, the Security Catalyst is excellent and put on by a CISSP trainer. His insight and topics are very good, much better than most of the podcast and blogs that I read. Of course, that could be a singular instance and not an example of most CISSPs.

I was at a SANS conference last year where I was hanging out with two really sharp fellows when we weren't in the forensics class. We were having sushi and beer when the topic of CISSP came up. They were shocked that I didn't have it yet when I have more advanced certs already. They equated it to a kind of "foot-in-the-door" cert that recruiters look for when scanning applications. I shrugged it off thinking my more technical certs should outweight the CISSP but I am now reconsidering it.

This post is probably more than I want to devote to this topic for now until I talk to a few more friends in the sec biz to get their opinions. There will be a follow-up post about this later along with a post listing all the podcasts I listen to.

Monday, December 12, 2005

Easier & More Efficient Blogging...

I have been wanting to blog more often because I feel like I have lots of interesting things to add to the security world but find going to Blogger to be a small hurdle that prevents me from doing it. That is a truly lame excuse but it has been enough to cause me to search for more efficient blogging methods. I am now testing Flock, a new Open Source web browser designed to "make it easier to blog, publish your photos and share and discover things." If this is successful, you will start seeing daily blogs from me...which may lead me to my eventual goal of developing a podcast.