Monday, November 17, 2014

Principle of Least Privilege

What is the "Principle of Least Privilege"? It's the idea of only giving people access to what they need. It commonly comes up when talking about directories and file permissions, but it can apply to much more than that.

Tuesday, September 2, 2014

Celebrity Photo Leaks: Why the security community is not more interested

First of all, my sympathy goes out to the celebrities who have had their privacy compromised this weekend. Having your personal photos taken and plastered all over the internet is not fun or fair. I'm about to comment on things that could've been done to improve their privacy, but I am not placing the blame on them. As with any cyber-bullying typed event, the fault rests with the bully. And shame on them for abusing their knowledge to harm others.

If you keep tabs on both mainstream media and security blogs, you have probably noticed that this event has gotten lots of attention in the former, and almost done in the latter. This may seem odd as it seems this attack has had a fairly high impact, but it makes more sense when you look at the method of attack or "kill chain".

Thursday, August 28, 2014

JP Morgan "Hack"

Recently a number of mass media articles have started discussing a JP Morgan "hack" and alluded to 4 other companies that were also hacked. This story has the potential to be really interesting if more details emerge.

Friday, July 11, 2014

I don't know

Fair warning, this post is going to be very "professional developmenty".

I've watched this scenario play out a number of times already in my relatively short career. A manager asks a question of an employee, and the response is, "I don't know." Followed by an awkward silence while the manager waits for more.

Tuesday, May 27, 2014

Humility in Cyber Security

I'm about to (attempt to) wax eloquent about the philosophy of cyber security, so this post will probably get real existential (and perhaps not terribly applicable). Credit to John Strand for bringing up some of these talks during a recent conference.

A common adage on the elementary school playground is, "There's always someone out there bigger, stronger, and faster than you."

Tuesday, May 20, 2014

Blackshade: What does it mean for you

A new cyber security story has hit the news this week: Blackshade. The FBI put out a notification about it, so it's likely to get some play in the media. But what is Blackshade and what does it mean for you?

Tuesday, May 13, 2014

How long will our hearts bleed?

Here's an interesting tidbit: Google shows you a lot of information about your posts and the traffic to them.

This is especially interesting because of this article. I first posted it a couple days after Heartbleed came to light when there was lots of attention and activity. But now, weeks later it's still getting a decent amount of traffic. And it certainly isn't the only article about scanning for Heartbleed with nmap (one of my favorites), so we can assume that those other posts are getting as much or more traffic.

Friday, May 9, 2014

Heartbleed: Scanning Uncommon SSL Ports

Alright, I lied in a previous post. Definitely not done riding the Heartbleed bandwagon.

While we were scanning for Heartbleed at my company, it mostly helped us find systems that were vulnerable when the vendor or system owner claimed it was clean (That's a fun conversation to have with a system engineer).

Maliciously Verified

My team was recently contacted to dig into an issue with an application. A specific module refused to load while the rest of the app worked fine.

Sunday, May 4, 2014

Searching for Heartbleed Hijacked VPN Sessions

The Heartbleed incident is starting to settle down. At my company most of our systems are patched and secured now, which makes it a perfect time to go back and do a little post incident research.

Mandiant recently released an article about finding hijacked VPN sessions by correlating a number of log sources (including VPN logs, IPS logs, and web server logs). At my company we wanted to do the same thing, but on the cheap. Our infrastructure logs don't lend themselves well to that sort of search, so we limited ourselves to VPN logs. Here's what we did.

Monday, April 28, 2014

Why the Internet Needs Encryption

The internet was designed to feel like a point to point communication system so when you sign on to Facebook, it feels like you and Facebook are the only two engaged in the conversation.

Because of this encryption on the internet is often a hard topic to discuss with people. It sounds like you're telling them to whisper while talking to someone one on one in their living room.

Thursday, April 24, 2014

Heartbleed: Lessons Learned

Fixing Heartbleed has received a lot of investment in a very short amount of time, both money and time wise. In my own company a number of senior Incident Response handlers and network admins were basically given a blank check on resources by management and told to solve the problem as fast as possible, regardless of the cost (Pretty unusual at my company).

Monday, April 21, 2014

Crypto Currency: A really good idea

We are already using digital currency. Credit cards, online stores, paypal, Google Wallet, online banking, and many other activities are all examples of digital currency. We cannot get away from digital currency, even if we wanted to. But our digital currency is modelled after our physical currency which has introduced some difficulties and loopholes in it's usage.

Monday, April 14, 2014

Scan, Scan, and Scan Again for Heartbleed

Whatever scanner you choose to use, make sure to scan your resources thoroughly, both before and after you patch.

Crypto Currency: Making Dollars Distinguishable

In a previous post I discussed that one of the problems with digital currency is that the dollars are indistinguishable. If I pay Bank Eville Guys $100 and Bank Connman $100 there is no way to distinguish the different $100 dollars from each other.

Friday, April 11, 2014

Scanning for Heartbleed Efficiently

So now you have a Heartbleed scanner, what do you do?

At this point in the game you have probably picked at least one (probably two or three) scanners to work with when you're detecting Heartbleed vulnerabilities. Where do you start?

NMAP over Proprietary Heartbleed Scanners

We're a couple days into Heartbleed at this point and there are now a number of different scanners and tools available. I've detailed how to get NMAP to scan for Heartbleed here.

I've looked at a few of them, and I recommend using NMAP as a scanner for a number of reasons.

1. NMAP will allow you to scan interal network resources that are not available to the internet. Web based scanners can only look at what you expose to the greater internet.

Thursday, April 10, 2014

OpenSSL HeartBleed: Not a Computer Virus

Yes, I'm reusing this graphic again. Because it's awesome.
I've heard this question come up a couple of times in different forms, "Is Heartbleed a computer virus?" "Is my computer vulnerable to Heartbleed?"

Wednesday, April 9, 2014

Scanning for Heartbleed with NMAP

UPDATE: This script has now been released in NMAP 6.45 and is available upon download.

UPDATE: For advice on scanning efficiently, see my post here

Patrik Karlsson (@nevdull77) created an excellent script to scan for Heartbleed using NMAP. It's still in development, and hasn't been included in an official release yet, but here's how to get it if you're looking for it.

NOTE: Shout out to @bonsaiviking for pointing me towards the right files.

DISCLAIMER: Obviously this script may change without warning. I did not write the script, I am interested only in providing helpful instructions to install it quickly if you want to use it before it is officially released.

Download the latest version of nmap for your operating system here (

Hacking: Needles in Haystacks

The term "hacking" is often dramatized in the media and Hollywood. Here are some excellent examples.

Tuesday, April 8, 2014

OpenSSL Heart Bleed: Simplified

OpenSSL has released a patch for an issue being called the "Heart bleed issue". There are a couple good technical explanations out there already here and here but I'd like to break it down into basic terms.

You can also just read XKCD

Monday, April 7, 2014

Crypto Currency: Indistinguishable Dollars

Continuing the discussion on Crypto Currency, here's another issue with using digital dollars: the dollars are indistinguishable.

Friday, April 4, 2014

Crypto Currency: Solution to Creating Currency

In a previous post I discussed one of the problems with digital dollars being that it's difficult to monitor currency creation. Here is an explanation of the crypto currency solution to this problem.

The obvious solution is to have some governing body monitor currency and it's creation, similar to how we do now with having certain facilities that can create paper money. But let's not be too hasty in our conclusions. Digital money brings a fundamental shift because digital money can be copied very easily. Instead of creating the money physical money you have to keep track of the money that is spent.

Thursday, April 3, 2014

Guardium Overview

Yet another system summary I did for management (I've been pumping them out like jelly beans lately).

Guardium is a 100% certainty (in theory) database monitoring tool. This means that Guardium will process 100% of the queries that come through a database it is installed on, as opposed to performing sampling on database queries and capturing a percentage of the queries as most other monitoring tools do. Similar to LogRhythm the easiest way to get a picture of Guardium is to talk about how queries travel through Guardium and how they are used.

Monday, March 31, 2014

Crypto Currency: One of the Problems With Digital Dollars

I was at a family gathering recently and over heard a discussion about Bitcoin and a few common misconceptions were brought up. Rather than drag a family party down into the finer points of crypto currency, I decided to address a few of them here. First let's hit the issue with our current currency.

Wednesday, March 26, 2014

IPS/IDS Brief Explanation

Another summary I did for management:

IPS (Intrusion Prevention System) and IDS (Intrustion Detection System) both use technology that watches internet traffic and looks for attacks or intrusions using signatures and does some action based on any signatures the traffic matches. An IPS has the ability to block traffic that it considers suspicious, while an IDS only has traffic mirrored to it and cannot prevent any traffic from reaching it's destination.

Tuesday, March 25, 2014

SIEM Simplified

This was originally an email I sent to a member of my company's management team to give them an introduction to the basic SIEM concepts:

SIEM is really the business of looking for anomalies in data. Let's say we track your computer's login activity for a month and you log on to your computer daily at 8 am and 12:30 pm (when you arrive for the day and when you get back from lunch). Then suddenly and without warning we see your ID active at 3 am. That's an interesting anomaly.

Wednesday, March 19, 2014

Java vs. Javascript

I've heard a couple of people confuse Java and Javascript lately on the internet, and as a part of the internet, I feel the need to do my part to set the record straight, not from a technical perspective, but hopefully in a way that's a little easier to remember. Here we go:

Java is the Watchmen, Javascript is the Avengers.

Friday, March 14, 2014

Another Day, Another DDoS Method

DDoS is in the news again with a novel new method of creating high volume attacks, this time Wordpress is the source and target of this attack using a ping back feature.

Wednesday, March 12, 2014

Dissecting a Cyber Security Warning

My wife and I were watching the 700 club show recently and they did a piece about cyber security. The article and video can be found here.

The guest on the show describes a number of cyber threats

Tuesday, March 11, 2014

Groovy: Know Thine File I/O

Groovy is the topic of the day! And specifically groovy file IO.

As a disclaimer, I'm lazy with my file IO. As lazy as I can be. Which is why I love left shift

Monday, March 10, 2014

Proxy? What proxy?

That's how I've felt dealing with a few applications this last week.

Friday, March 7, 2014

DDoS Target: Unknown

A lot of media attention has been given to the unrest in Ukraine and Russia. With so much media focus, it's not surprising that terms like Cyber Security and Cyber Warfare will come up a lot. But there are often gaps in the information presented.

Thursday, March 6, 2014

DDoS Before Politics: Ukraine

Cross disciplinary discussion is always fun, right? My sister is an interpretor in Russia and follows the politics of the region much more closely than I do. She recently forwarded me this article which I found very interesting (ignore the technical mistakes in the article). I sent her a link to the Digital Attack Map and she pointed out that a number of key political events in recent history were preceded a day or two by a DDoS attack.

Now that's an interesting proposition. Let's take a closer look. For sources, I'm using the digital attack map and this article by the BBC

There were two DDoS attacks hitting Ukraine from unknown sources on December 7th.

IBM and Prism?

Since Edward Snowden did his stuff a lot of companies have revealed having worked with or cooperated with the NSA at some level. Microsoft, Google, Facebook, Yahoo, and several others are on that list. In their defense, several of these companies have started to push back and make government request for information public. But what about the companies who haven't taken that action or have chosen to say less?

Wednesday, March 5, 2014

Friday, February 28, 2014

Wednesday, February 26, 2014

Security Engineering Process: Where Compliance Meets Programming

I recently got asked to work on a project to help finalize a Security Engineering Process for my company. I haven't delved too deeply into the goals and deliverables yet, but the project title is interesting enough to me: Security Engineering Process Assessment. This is one of the few times I'm going to argue semantics are important, so let's break this down a little.

Friday, February 21, 2014

Privacy And Media Hype

As anyone who works in the IT Industry knows, how easily the media can understand a technical concept and then generate hype about it has a lot to do with how much attention it gets. While sometimes this brings important issues to light other times it lands pretty far off the mark.

Thursday, February 20, 2014

IE Zero Day: Response Required

Another day, another zero day vulnerability (Gosh, I love that term. So ominous. Like seeing a mushroom cloud). This time it's in IE 9 and 10.

Sunday, February 16, 2014

NTP and DDoS Attacks

A novel new method of creating a DDoS attack has been found: NTP. I've read a number of good technical explanations on how the attack was performed and the enormity of the data the attack sent (400 some GB), so I'd like to take a step back and talk about DDoS attacks in general.

Friday, February 14, 2014

WebSockets and Security Infrastructure

Web sockets are new and very cool. If you're not familiar with them wikipedia (as always) has a pretty good article.

Working on a websocket test app recently I had a connection that kept on failing.

Tuesday, February 4, 2014

Facebook: Finding Ways to Monetize

Facebook Paper is a new app for iOS that came out this week. It was advertised as shiny and new and had an oh-so-hipster commercial.

Friday, January 31, 2014

How Many Requests?

The web used to work like this:

I send an http request by typing say "" into my address bar, I get a single page back.

Simple, right? One request, one

Friday, January 24, 2014

Is Google Chrome Actually Listening?

If you've been watching security news this week, you've probably seen a number of articles about this exploit that the writer claims allows Google chrome to be turned into a surveillance tool. If true, this could be very concerning for Chrome users, but with all things cyber-security related, it's best to apply some analysis to the situation before one runs to the hills. Here is some of the analysis and questions I asked myself going through this exploit.

Saturday, January 18, 2014

Target Malware Attack: Are you at risk?

It's recently been made known that the Target security breach was at least partially caused by malware installed on their POS systems. There are already a number of good technical explanations of how these work, so I won't add to that. I'd rather discuss if your business is at risk. Most of the content from this post comes from an email I sent my manager on the subject.

Friday, January 17, 2014

Engineers vs. Help Desk Technicians

Second post coming out of my work combining two teams and creating a help desk.

I've spent a lot of time studying the different between an engineer and a help desk technician. I think it's easiest to approach it through bullet points:

Friday, January 10, 2014

Help Desks

This post isn't security oriented, or technical. It's just what I'm working on most recently. At work a management decision recently blended our Network Infrastructure and Security Teams together and I was asked to run a project melding the two "on call responsibilities" and figure out a single point of contact or help desk setup so people would know how to contact us.

Friday, January 3, 2014

Is I Robot coming?

Google has been in the news a lot lately for buying a number of robotics companies. If you're not familiar, just search "google robotics" and read an article similar to, "Google plans to take over the world with advanced robotic war machines" (or something that sounds catchier with the same meaning).