Tuesday, May 27, 2014

Humility in Cyber Security

I'm about to (attempt to) wax eloquent about the philosophy of cyber security, so this post will probably get real existential (and perhaps not terribly applicable). Credit to John Strand for bringing up some of these talks during a recent conference.

A common adage on the elementary school playground is, "There's always someone out there bigger, stronger, and faster than you."

Tuesday, May 20, 2014

Blackshade: What does it mean for you

A new cyber security story has hit the news this week: Blackshade. The FBI put out a notification about it, so it's likely to get some play in the media. But what is Blackshade and what does it mean for you?

Tuesday, May 13, 2014

How long will our hearts bleed?

Here's an interesting tidbit: Google shows you a lot of information about your posts and the traffic to them.

This is especially interesting because of this article. I first posted it a couple days after Heartbleed came to light when there was lots of attention and activity. But now, weeks later it's still getting a decent amount of traffic. And it certainly isn't the only article about scanning for Heartbleed with nmap (one of my favorites), so we can assume that those other posts are getting as much or more traffic.

Friday, May 9, 2014

Heartbleed: Scanning Uncommon SSL Ports

Alright, I lied in a previous post. Definitely not done riding the Heartbleed bandwagon.

While we were scanning for Heartbleed at my company, it mostly helped us find systems that were vulnerable when the vendor or system owner claimed it was clean (That's a fun conversation to have with a system engineer).

Maliciously Verified

My team was recently contacted to dig into an issue with an application. A specific module refused to load while the rest of the app worked fine.

Sunday, May 4, 2014

Searching for Heartbleed Hijacked VPN Sessions

The Heartbleed incident is starting to settle down. At my company most of our systems are patched and secured now, which makes it a perfect time to go back and do a little post incident research.

Mandiant recently released an article about finding hijacked VPN sessions by correlating a number of log sources (including VPN logs, IPS logs, and web server logs). At my company we wanted to do the same thing, but on the cheap. Our infrastructure logs don't lend themselves well to that sort of search, so we limited ourselves to VPN logs. Here's what we did.