DarkReading Evil Bytes Weblog

Challenge Yourself To Be Better

By John Sawyer — Thu, 11 Mar 2010 12:56:10 -0500

If you've been in the information security field for more than six months, then you know it's vital to stay on top of the latest threats, tools, and news to be effective at your job. That's why many of us love the field so much--it's always changing. And it challenges us.

New Analysis Tools For Windows Memory

By John Sawyer — Mon, 08 Mar 2010 14:24:27 -0500

Last week I looked at some creative uses of log analysis for detecting malware, and ways to acquire Windows physical memory for analysis. What I've seen time and time again is where those in charge of security don't even bother to log information from their systems and applications, leading them to a much larger incident response scenario than if they could detect it sooner.

Acquiring Windows Memory For Incident Response

By John Sawyer — Fri, 05 Mar 2010 14:57:04 -0500

It was a busy week. Some of you made the annual trek out to San Francisco, while the rest of you were stuck working diligently in your office. Me...well, I'm in the latter group.

Creative Approaches To Malware Detection

By John Sawyer — Mon, 01 Mar 2010 15:21:46 -0500

Cyberwar and advanced persistent threats (APT) are fun terms thrown around a lot lately. Everyone seems to have their own slightly varied opinion on what they each mean. Personally, I don't care all that much what the different nuances of each are as long as I can understand the associated threats and deal with them appropriately.

Fight Malware With Software Restriction Policies

By John Sawyer — Wed, 24 Feb 2010 16:13:36 -0500

Good news for Department of Defense folks. They can now start using USB flash drives again -- provided there's absolutely no other way to transfer the data from point A to point B. OK, so maybe it isn't time to rejoice just yet.

Enhancing Botnet Detection With Manpower

By John Sawyer — Mon, 22 Feb 2010 14:14:52 -0500

The average computer user (a.k.a. most of my family) doesn't have a fighting chance. I hate to say it, but the malware we're seeing on a daily basis makes this scary fact evermore true. There is absolutely no way that most home users are going to be able to protect themselves against modern malware like Zeus. Malware authors have become extremely good and proficient at what they do because it's making them money.

Penetration Testing Is Sexy, But Mature?

By John Sawyer — Wed, 17 Feb 2010 14:40:12 -0500

The buzz generated from Core Security's move to integrate with the Metasploit Framework has left me a little puzzled. Don't get me wrong: I love Metasploit. It's a fantastic tool that has certainly been put through its paces as a pen-testing tool -- it's free, open source, and extremely accessible to aspiring security professionals. And, of course, I've heard great things about Core's flagship product, Impact Pro. But the deal just seems like an odd move.

Speeding Incident Response With 'Indicators' Of A Compromise

By John Sawyer — Wed, 10 Feb 2010 13:39:03 -0500

Advanced persistent threat: I like the term -- it sounds evil, and it is...well, at least I think it is. There has been a lot of news, opinions, and genuine FUD on APT since Google went public with news of its breach several weeks ago. Until then, I really don't think anyone ever paid much attention to what APT was, even though well-respected people, like Richard Bejtlich and the folks at Mandiant, have been talking about it for a while.

Updated Tool Targets Facebook Security

By John Sawyer — Wed, 03 Feb 2010 14:15:05 -0500

Security issues surrounding social networking sites make me cringe. I understand their practical applications, but they are also the platform for easy delivery of exploits through social engineering. I've seen many systems compromised by the unconscious click on a Facebook link that users' nonchalance on similar sites and their trust in the Internet frustrates me to no end.

When Software Glitches Are Fatal -- Literally

By John Sawyer — Mon, 01 Feb 2010 14:50:41 -0500

Hearing about how many companies were hacked during the Aurora attacks due to a software vulnerability in Microsoft's Internet Explorer (IE) is frustrating. Now another attack is ready to be unveiled at Black Hat DC that also uses an IE "feature." The thought of what can and has happened because of these flaws is scary -- theft of personal information, espionage, identity theft, etc. -- but what happens when software glitches lead to death?

Operating In An Insecure World

By John Sawyer — Fri, 22 Jan 2010 14:47:22 -0500

I've heard of the idea of operating day-to-day with the assumption that your organization is already compromised, and I just saw it reiterated in the Tenable Security Blog, but I think it's a tough one to swallow for most organizations. There has to be some level of trust within an organization, otherwise, how could you get any business done. But as tough as it is to accept, there is value in taking this approach.

User Security After The Google Hack

By John Sawyer — Wed, 20 Jan 2010 14:10:09 -0500

Last week's news about the Google hack has really raised some eyebrows. Doe-eyed users have learned the harsh truth that anyone can be hacked. The news of 20 or more other companies also being targeted along with Google made the impact that much worse.

The Inconvenient Truth Behind Security

By John Sawyer — Mon, 11 Jan 2010 14:55:24 -0500

A co-worker forwarded me an e-mail in which the original sender was asking about running vulnerability scans on his own and stated he was concerned about the scans causing downtime while the servers were being tested.

When PDFs And Flash Files Attack

By John Sawyer — Fri, 08 Jan 2010 14:18:03 -0500

It's getting harder to protect our users from threats coming at them from seemingly trusted places. The Websites they've been using for years are suddenly the source of attacks through malicious advertisements being pushed to the "trusted" site by a third-party advertising service. File format attacks against Adobe's Flash and Acrobat are becoming the exploit du jour for attackers.

Detecting DNS Hijacks Via Network Monitoring

By John Sawyer — Wed, 06 Jan 2010 14:52:25 -0500

Last year saw a slew of different DNS attacks. The most recent incident was the hijacking of Twitter's DNS records to redirect to a Website stating, "This site has been hacked by the Iranian Cyber Army." Though the impact to a company's public image can be large, DNS redirection attacks have the potential to be even more devastating than a tarnished image.

Fixing The Security Disconnect

By John Sawyer — Thu, 24 Dec 2009 09:49:09 -0500

A disconnect often exits between security teams and the population they service. I'm not referring to just users -- of course, you'll pretty much always find a rift between security and users -- but instead I mean the disconnect that often occurs among network groups, system administrators, developers, and similar groups.

Paper-Based Breaches Just As Damaging

By John Sawyer — Mon, 21 Dec 2009 15:10:32 -0500

IT tends to forget about things that aren't electronic. But you remember that stuff called paper, right? Have you considered that printed documents are just as damaging to a company's reputation should they get into the wrong hands as electronic data stored in an Excel spreadsheet or database server?

Making Your IDS Work For You

By John Sawyer — Fri, 18 Dec 2009 15:13:16 -0500

Talk to anyone who knows anything about running an intrusion detection system (IDS), and he will tell you one of the most important processes during the initial deployment is tuning. It's also one of the important operational tasks that go on as new rules are released to make sure they are relevant to the environment you're tasked to protect.

Christmas Wish List: Patching & Whitelisting

By John Sawyer — Wed, 16 Dec 2009 14:13:58 -0500

Christmas is next week, and if I were putting together a wish list of things to help lock down my enterprises, I'd have to put patch management and application whitelisting at the top. Why? It's simple. The two together could deliver the one-two punch to knockout the majority of compromises I've been seeing lately.

What It Takes To Have True Visibility Into Web Attacks

By John Sawyer — Mon, 14 Dec 2009 14:53:35 -0500

I'm one of those people who takes extensive notes but rarely goes back and read them. Today was one of those exceptions: I was looking through Evernote for something, and a statement I'd copied some time ago stuck out.

Detecting Viral Persistence

By John Sawyer — Wed, 09 Dec 2009 15:00:28 -0500

Persistence is something that malware strives to achieve. If malware cannot survive the monthly reboot due to the Microsoft patch cycle or the usual Windows troubleshooting process (reboot first!), then it's going to have a short lifetime and little effectiveness. There are a few exceptions to the rule in terms of persistence.

'Capture The Flag' Contest Targets End Users

By John Sawyer — Mon, 07 Dec 2009 19:49:15 -0500

Capture the flag (CTF) competitions and similarly organized scenario-based "games" can be a great learning experience for security professionals of all experience levels. Contestants are typically forced to work under pressure and in scenarios that range from real-world situations to extreme, all-out cyber-warfare.

Test Drive Of Metasploit's NeXpose Plug-In

By John Sawyer — Wed, 02 Dec 2009 15:46:37 -0500

Rapid7's acquisition of the Metasploit Project caused a lot of heads to turn. Concerns were raised about the project's future, specifically that of the Metasploit Framework. I held back from saying anything at the time because I was hoping for the best. Yesterday marked the first Metasploit Framework release that shows promise of the future by including integration with Rapid7's NeXpose vulnerability scanner.

Security Lessons From Couple's White House Hijinks

By John Sawyer — Mon, 30 Nov 2009 14:51:22 -0500

Even the most stringent security procedures have failures. That fact was evident when the U.S. Secret Service learned a Virginia couple slipped into last week's state dinner at the White House.

Kudos To F-Response's New IR Tool For Ease Of Use

By John Sawyer — Wed, 25 Nov 2009 16:27:41 -0500

F-Response TACTICAL will be released on Thanksgiving Day, with the promise of a plug-and-play ease to help cyber investigators quickly get the evidence they need from live systems.