Needle in a haystack: searching from the Windows command line

Part of network security involves fancy technology, specialized devices, and ever-advancing techniques. The crooks are constantly improving their craft, and so must the defenders. But an equally important part of security involves mundane and boring tasks, tasks such as looking through log files for indications that something undesirable happened or that someone has gained unauthorized access - i.e. Forensics 101.

There are a myriad tools available for searching, whether on Windows, Linux, or Mac. I am of the opinion that a security expert (or system administrator) needs to understand the command line and built-in tools first. There are times when you don't have the luxury of installing or using custom tools and have to make do with what comes on the operating system. If that system is Windows, you get Find and Findstr.

Social media risks and rewards

Do you know with whom you share, and what you share, on social networks? I've had around a dozen conversations about social media in the last few months. Conversations with friends and family, with colleagues, and with professional peers. Conversations about differences in uses and privacy implications, as well as conversations about examples of ill-advised sharing. Over the weekend I had a brief Twitter conversation with Rafal Los (aka Wh1t3rabbit) bemoaning recent LinkedIn changes that make it difficult to introduce ourselves when requesting a connection.

On top of that, there have been a couple of widely-publicized news stories recently about direct consequences of social sharing: a Dallas teenager accepted a job with a pizzeria, and proceeded to badmouth the job to friends on Twitter. Word got back to the shop owner, who fired her before she started. Then the New York Times ran a story of a senior director of communications who's poorly-conceived tweet cost her a high-ranking job.

Security B-Sides Austin: Recapping a hacker conference

March 12 and 13, about 250 hackers and security practitioners from around Texas (and as far away as Canada) descended upon Round Rock, a suburb of Austin, for two days of training and research presentations. Security B-Sides sprung up in 2009, as an alternative to the major (and highly-attended) conferences such as Blackhat and RSA: there's not much opportunity to talk one-on-one with a researcher at a conference attended by 10,000. In 2009,the inaugural B-Sides was held in Las Vegas; a year later, B-Sides Austin launched, timed to coincide with the annual Spring Break phenomenon known as SXSW (South by Southwest). For 2015, over 30 events in North and South America and Europe are scheduled, with more in the planning stages.

I refer to B-Sides as a hacker conference. Some readers may take offense. I use hacker in its original (and to many, "real") sense: one that knows a topic well and can modify something to do his or her will, rather than what the creator intended. That culture has nothing to do with malicious use of computers - it is the culture that lead to automotive performance shops, or the motorcycle customization industry glamorized by West Coast Choppers for two examples. A hacker could be known less controversially as a maker, or a tinkerer, or a modder - or an engineer. In that sense, I am proud to wear the label of hacker.

The week in tech news

Monday seemed to be "the day" for big technology and security news. Several big stories broke yesterday, so rather than dive deep into a topic this week, I am going to summarize what you need to know: Rowhammer, FREAK, IOS 8.2, Apple Watch, and [added Tuesday] Microsoft's massive Patch Tuesday.

The closed account that wasn't

This morning I received an unexpected message to my mailbox. Wells Fargo was informing me that my account had been locked due to three attempts to log in with an incorrect password. This is pretty good security: an attacker cannot keep trying passwords forever since the account is locked after the third try, and the bank alerted me via the email they had on record for the rightful owner of the account. Locking the account is a common way to prevent an attacker from discovering a password randomly (though it does nothing to protect against an actual password that is stolen). Alerting the account owner means I can change my password and look for any unexpected transactions or other changes to the account.

These are a few of my favorite blogs

In no particular order, a list of security bloggers and information sources I find useful:

• [web] [rss] Krebs on Security (Brian Krebs)
• [web] [rss] Graham Cluley
• [web] [rss] Hot for Security
• [web] [rss] lcamtuf (Michal Zalewski)
• [web] [rss] Troy Hunt
• [web] [rss] Full Disclosure (mostly vulnerability disclosures)
• [web] [rss] F-Secure Labs
• [web] [rss] SANS Internet Storm Center
• [web] [rss] SANS Curated News
• [web] [rss] SANS Industrial Control Systems Blog
• [web] [rss] SANS Digital Forensics and Incident Response Blog
• [web] [rss] Exploit DB
• [web] [rss] Microsoft Security Response Center
• [web] [rss] Dave Shackleford
• [web] [rss] Google Project Zero issue tracker
• [web] [rss] Google Project Zero blog
• [web] [rss] Google Online Security Blog
• [web] [rss] Carnal0wnage (Chris Gates)
• [web] [rss] OpenDNS Labs
• [web] [rss] Dark Reading
• [web] [rss] Help Net Security
• [web] [rss] Verizon Security Blog
• [web] [rss] Errata Rob (Robert Graham)
• [web] [rss] Wh1t3 Rabbit (Rafal Los)
• [web] [rss] Schneier on Security (Bruce Schneier)
• [web] [rss] Social-Engineer
• [web] [rss] Common Exploits (Daniel Compton) 
• [web] [rss] McAfee Labs
• [web] [rss] CSO Online Dashboard / Security News
• [web] [rss] Uncommon Sense Security (Jack Daniel)

Podcasts

• SANS Internet Storm Center
• Chet Chat (Sophos Security)
• Southern Fried Security
• Brakeing Down Security
• Defensive Security
• Paul's Security Weekly
• Social-Engineer
• Down the Security Rabbithole (Wh1t3 Rabbit's DtSR)

...and a few not necessarily security-related:

• nixcraft (rss) - knowledge of all things *nix
• Command Line Kung Fu (rss) - just what it says, for Windows, *nix, and Powershell
• iptables tutorial - great primer on the *nix iptables firewall

Along with some useful finds:

• CapTipper: Malicious HTTP traffic explorer tool. Point it at a PCAP or live traffic and easily pull out hosts, conversations, downloaded files, etc.
• Bit.ly to track malware outbreaks: A short piece using bit.ly's click analysis to view geographic distribution and infection rates.
• Pemcrack: ErrataRob's tool to crack SSL PEM files that hold encrypted private keys (first authored to crack the Superfish cert)
• Recommended forensic reading: a list of books
• APTNotes: Github repository of whitepapers, docs and articles related to APT campaigns
• Telerik Fiddler: web debugging proxy

Please reply in the comments below if you have a favorite that I overlooked!

Lenovo PCs preloaded with "Superfish" malware that breaks security

Technology and security are rife with shades of grey. Even in this field though, some lines are so indistinguishable from black that they should never be crossed. Laptop maker Lenovo crossed one of these lines with recent models, by pre-installing adware that breaks otherwise secure HTTPS website connections.

Recent Lenovo laptops include what can only be described as malware, malware that intercepts all web traffic whether secured or not. The "VisualDiscovery" adware from a company called Superfish reads all web traffic and injects advertisements into web pages. In doing so it completely breaks HTTPS security.